[Secure Coding] master: RPM packaging: X.509 key pair generation (95c2976)
Hubert Kario
hkario at redhat.com
Mon Apr 28 11:11:33 UTC 2014
----- Original Message -----
> From: "Joe Orton" <jorton at redhat.com>
> To: security at lists.fedoraproject.org
> Sent: Monday, 28 April, 2014 10:39:09 AM
> Subject: Re: [Secure Coding] master: RPM packaging: X.509 key pair generation (95c2976)
>
> On Fri, Apr 25, 2014 at 02:33:43PM +0000, fweimer at fedoraproject.org wrote:
> > + if ! test -e %{tlscert} ; then
> > + cn="Automatically generated certificate for the %{tlsuser} service"
> > + openssl req -new -x509 -extensions usr_cert \
> > + -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
>
> We also pass here:
>
> -serial $RANDOM -sha256
>
> in the mod_ssl %post, possibly recommend these also? We had a couple of
> user complaints when the serial number wasn't set; not a big issue but
> simple to work around.
>
> I'm not sure whether current OpenSSL is using a SHA256 hash by default
> already, that part might be redundant.
It should use SHA256 be default, but that's irrelevant for self signed
certificates. They have the same threat model as CA trust anchors,
either you trust them as is or you don't, the signature is essentially
just a checksum.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the security
mailing list