SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001796: SSL should use SHA1 instead of MD5 - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001796Endian FirewallSecuritypublic2009-04-18 09:372010-11-22 11:51
Reportermike-f 
Assigned Topeter-endian 
PrioritynormalSeveritytweakReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2-rc3 
Target Version2.5Fixed in Version2.4.1 
Summary0001796: SSL should use SHA1 instead of MD5
Descriptioncertificates are signed using MD5-algorithm
we should change it to use SHA1 instead

/etc/ssl/openssl.cnf
/etc/openvpn/openssl.cnf
/etc/ipsec/openssl.conf


default_md = md5
-->
default_md = sha1
Additional Informationhttp://www.kb.cert.org/vuls/id/836068 [^]
MD5 vulnerable to collision attacks

TagsNo tags attached.
Attached Files

- Relationships
related to 0001883confirmed update openssl to a more recent version 

-  Notes
(0002157)
mike-f (updater)
2009-04-18 10:34

also change the lines in
/etc/init.d/httpd

    echo "Signing certificate"
    openssl x509 -req -days 999999 -in \
        /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
        /etc/httpd/server.crt >/dev/null 2>&1
to

    echo "Signing certificate"
    openssl x509 -req -days 999999 -in \
        /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
        /etc/httpd/server.crt -sha1 >/dev/null 2>&1
(0002158)
mike-f (updater)
2009-04-18 11:22

with more recent openssl-versions we can even use -sha256 and -sha512

- Issue History
Date Modified Username Field Change
2009-04-18 09:37 mike-f New Issue
2009-04-18 10:34 mike-f Note Added: 0002157
2009-04-18 11:22 mike-f Note Added: 0002158
2009-05-19 07:33 luca-endian Relationship added related to 0001883
2010-09-20 18:03 peter-endian Status new => confirmed
2010-09-20 18:03 peter-endian Target Version => 2.5
2010-09-24 14:25 peter-endian Status confirmed => resolved
2010-09-24 14:25 peter-endian Fixed in Version => 2.4.1
2010-09-24 14:25 peter-endian Resolution open => fixed
2010-09-24 14:25 peter-endian Assigned To => peter-endian
2010-11-22 11:51 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker