Various SSL keys are aging out so we will be updating them before anyone gets a <This CERT is not valid.> page.
We have already updated fedorahosted.org and will now be updating the cert for the main site: fedoraproject.org.
The old certificate came from Equifax, was a 1024 bit key and had the fingerprint:
SHA1 Fingerprint=E7:6D:26:72:D6:A2:2D:7A:5C:CF:BB:D2:05:B9:8E:7C:49:F5:F8:A8
The new certificate is issued by GeoTrust, Inc and is a 4096 bit key with the fingerprint:
SHA1 Fingerprint=F6:D6:28:85:64:B1:11:19:38:2A:82:EF:F8:F0:22:E8:27:4F:A5:CF
Please report any problems with these certificates to admin@fedoraproject.org
The change in certs will happen around 2011-03-10 20:00 UTC
Stephen Smoogen * Seasonal Infrastructure Chief Koffee Officer
On 2011-03-10, Stephen Smoogen smooge@gmail.com wrote:
We have already updated fedorahosted.org and will now be updating the cert for the main site: fedoraproject.org.
The old certificate came from Equifax, was a 1024 bit key and had the fingerprint:
[...]
The new certificate is issued by GeoTrust, Inc and is a 4096 bit key with the fingerprint:
Key length is not everything. Didn't you forget to upgrade hash algorithm? Sticking on SHA-1 that's been abandoned by ETSI and other authorities does not look most safely.
-- Petr
On Thu, Mar 10, 2011 at 01:07, Petr Pisar ppisar@redhat.com wrote:
On 2011-03-10, Stephen Smoogen smooge@gmail.com wrote:
We have already updated fedorahosted.org and will now be updating the cert for the main site: fedoraproject.org.
The old certificate came from Equifax, was a 1024 bit key and had the fingerprint:
[...]
The new certificate is issued by GeoTrust, Inc and is a 4096 bit key with the fingerprint:
Key length is not everything. Didn't you forget to upgrade hash algorithm? Sticking on SHA-1 that's been abandoned by ETSI and other authorities does not look most safely.
From my research to use the SHA-2 in TLS requires the user and server
to be both able to talk TLS-1.2. From what I found at wikipedia (http://en.wikipedia.org/wiki/Transport_Layer_Security) Firefox does not support 1.2 (only Opera and IE8 do).
-- Petr
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Stephen John Smoogen <smooge <at> gmail.com> writes:
From my research to use the SHA-2 in TLS requires the user and server to be both able to talk TLS-1.2. From what I found at wikipedia (http://en.wikipedia.org/wiki/Transport_Layer_Security) Firefox does not support 1.2 (only Opera and IE8 do).
It's being worked on, at least:
On 03/10/2011 09:17 AM, Stephen John Smoogen wrote:
On Thu, Mar 10, 2011 at 01:07, Petr Pisar ppisar@redhat.com wrote:
On 2011-03-10, Stephen Smoogen smooge@gmail.com wrote:
We have already updated fedorahosted.org and will now be updating the cert for the main site: fedoraproject.org.
The old certificate came from Equifax, was a 1024 bit key and had the fingerprint:
[...]
The new certificate is issued by GeoTrust, Inc and is a 4096 bit key with the fingerprint:
Key length is not everything. Didn't you forget to upgrade hash algorithm? Sticking on SHA-1 that's been abandoned by ETSI and other authorities does not look most safely. From my research to use the SHA-2 in TLS requires the user and server
to be both able to talk TLS-1.2. From what I found at wikipedia (http://en.wikipedia.org/wiki/Transport_Layer_Security) Firefox does not support 1.2 (only Opera and IE8 do).
There are more than one usage for SHA-1/SHA-2. TLS uses SHA-1 as an HMAC. SHA-1 is still strong for such use (though prudence would encourage one to move off of SHA-1 even for this operation).
SHA-1 is also used in the certificate. That, in theory, doesn't require TLS 1.2, though only TLS 1.2 includes protocol to tell servers what hashing algorithms the clients support, so in a strict sense only TLS tells you whether or not it's safe to use a cert with something other than SHA-1 or MD5. Most modern browers will support SHA-2 algorithms in the certificate (even when using SSL3, to TLS 1.x). The notable exceptions is verisons of Windows older than Windows XP service patch 3, and several older phones.
Many CA's are apparently starting to move SHA-256 roots this year, mostly driven by NIST standards.
bob
On 2011-03-10, Robert Relyea rrelyea@redhat.com wrote:
SHA-1 is also used in the certificate. That, in theory, doesn't require TLS 1.2, though only TLS 1.2 includes protocol to tell servers what hashing algorithms the clients support, so in a strict sense only TLS tells you whether or not it's safe to use a cert with something other than SHA-1 or MD5. Most modern browers will support SHA-2 algorithms in the certificate (even when using SSL3, to TLS 1.x). The notable exceptions is verisons of Windows older than Windows XP service patch 3, and several older phones.
That's the hash usage I refered. I was amazed the certificate signature algorithm is RSAwithSHA1. As it was said this does not dependend on TLS version.
Many CA's are apparently starting to move SHA-256 roots this year, mostly driven by NIST standards.
This year? In Europe we are over. All quallified CA's are forbiden to issue SHA-1 certificates since begin of 2010.
-- Petr
Once upon a time, Petr Pisar ppisar@redhat.com said:
This year? In Europe we are over. All quallified CA's are forbiden to issue SHA-1 certificates since begin of 2010.
Cite? https://europa.eu/ uses SHA-1 on a cert issued in February 2010. Of course, they also haven't disabled the weak SSL ciphers, so it's hard to claim high security.
On 03/11/2011 09:44 AM, Chris Adams wrote:
Cite? https://europa.eu/ uses SHA-1 on a cert issued in February 2010. Of course, they also haven't disabled the weak SSL ciphers, so it's hard to claim high security.
On my systems all I get is a blank page saying:
Access Denied (policy_denied) Your system policy has denied access to the requested URL. For assistance, contact your network support team.
I am guessing that it's their passive-aggressive way of saying "we use obsolete protocol but it's your problem"
On Fri, Mar 11, 2011 at 08:44:55AM -0600, Chris Adams wrote:
Once upon a time, Petr Pisar ppisar@redhat.com said:
This year? In Europe we are over. All quallified CA's are forbiden to issue SHA-1 certificates since begin of 2010.
Cite? https://europa.eu/ uses SHA-1 on a cert issued in February 2010. Of course, they also haven't disabled the weak SSL ciphers, so it's hard to claim high security.
I assume he meant since Januar 2011. This is at least the official statement for Germany:
http://www.bundesnetzagentur.de/DE/Sachgebiete/QES/Veroeffentlichungen/Algor... http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFi...
The relevant pages in the PDF document are pages 3 and 4, especially the table on page 4.
Regards Till
Hi.
On Fri, 11 Mar 2011 20:22:55 +0100, Till Maas wrote
I assume he meant since Januar 2011. This is at least the official statement for Germany:
http://www.bundesnetzagentur.de/DE/Sachgebiete/QES/Veroeffentlichungen/Algor... http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFi...
For those not fluent in German:
this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general.
On Fri, Mar 11, 2011 at 08:37:39PM +0100, Ralf Ertzinger wrote:
Hi.
On Fri, 11 Mar 2011 20:22:55 +0100, Till Maas wrote
I assume he meant since Januar 2011. This is at least the official statement for Germany:
http://www.bundesnetzagentur.de/DE/Sachgebiete/QES/Veroeffentlichungen/Algor... http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFi...
For those not fluent in German:
this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general.
Thanks, I meant to mention this, too. Btw. Petr was referring to these kind of signatures as well as far as I understand him:
| All quallified CA's [...] ^^^^^^^^^^
Regards Till
Once upon a time, Ralf Ertzinger fedora@camperquake.de said:
this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general.
I took a short look at software support for other SSL hashes:
- OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating a signing request or signing a cert
- NSS: certutil doesn't seem to offer the option to set the digest (I didn't see one in -H output and there's no man/info page)
- GnuTLS: certtool supports up to SHA512 for signing, although it only used SHA-1 for a signing request (it appeared to ignore the --hash option when generating a request)
Once I had a SHA512 signed cert, OpenSSL recognized it and recognized the SHA512 signature. It looks like NSS can't just look at cert PEM file; you have to create a cert database and import the cert; I did that, and it didn't give an error, but I didn't see a way to be "verbose" about it to see that it actually recognized the signature algorithm.
This was all on F14. I tried a few RHEL servers as well; on RHEL 4, OpenSSL did not recognize the signature algorithm (RHEL 5/6 did).
I didn't try to set up Apache with a SHA512 cert to see what browsers recognized it.
On 03/11/2011 12:18 PM, Chris Adams wrote:
Once upon a time, Ralf Ertzingerfedora@camperquake.de said:
this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general.
I took a short look at software support for other SSL hashes:
OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating a signing request or signing a cert
NSS: certutil doesn't seem to offer the option to set the digest (I didn't see one in -H output and there's no man/info page)
By the way, man pages for the nss tools are in development https://bugzilla.redhat.com/show_bug.cgi?id=606020#c3 as you can see, they still need a lot of work
- GnuTLS: certtool supports up to SHA512 for signing, although it only used SHA-1 for a signing request (it appeared to ignore the --hash option when generating a request)
Once I had a SHA512 signed cert, OpenSSL recognized it and recognized the SHA512 signature. It looks like NSS can't just look at cert PEM file; you have to create a cert database and import the cert; I did that, and it didn't give an error, but I didn't see a way to be "verbose" about it to see that it actually recognized the signature algorithm.
This was all on F14. I tried a few RHEL servers as well; on RHEL 4, OpenSSL did not recognize the signature algorithm (RHEL 5/6 did).
I didn't try to set up Apache with a SHA512 cert to see what browsers recognized it.
On 2011-03-11, Chris Adams cmadams@hiwaay.net wrote:
Once upon a time, Ralf Ertzinger fedora@camperquake.de said:
this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general.
I took a short look at software support for other SSL hashes:
- OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating a signing request or signing a cert
Not true:
$ openssl req -newkey rsa:2048 -sha256 -new -utf8 -out test.req [...] $ openssl req -noout -text <test.req Certificate Request: [...] Signature Algorithm: sha256WithRSAEncryption
The openssl FOO usage output is out-dated. You need to reuse options from other subcommands (e.g. openssl dgst -h).
- NSS: certutil doesn't seem to offer the option to set the digest (I didn't see one in -H output and there's no man/info page)
NSS is under-documented. E.g. I could not figure out how to select a hardware cryptoengine.
- GnuTLS: certtool supports up to SHA512 for signing, although it only used SHA-1 for a signing request (it appeared to ignore the --hash option when generating a request)
Yes, there is a bug with selecting hash algorithm.
-- Petr
On 2011-03-11, Chris Adams cmadams@hiwaay.net wrote:
Once upon a time, Petr Pisar ppisar@redhat.com said:
This year? In Europe we are over. All quallified CA's are forbiden to issue SHA-1 certificates since begin of 2010.
Cite?
There is a study ETSI TS 102 176-1 V2.0.0 (called `ALGO Paper') http://webapp.etsi.org/action/PU/20071120/ts_10217601v020000p.pdf by ETSI that recommends algorithms and their safety in time. Then each European country implements national standards. E.g. Czech Republic requires at lest 2048b RSA with SHA-2 since 2010-01-01, the same applies to Germany or Slovakia.
Unfortuntally none of documents I can find now are not in English.
AFAIK American NIST states federal beaureus should stop to use SHA-1 at the end of 2010 (except HMAC, KDF or RNG usages).
https://europa.eu/ uses SHA-1 on a cert issued in February 2010.
This is not a quallified (or more precisely system) certificate. This is pure certificate you can buy from any one without any legal implications.
-- Petr