Bug#733255: ssl-cert: start creating SHA2-based certificates
Currently running "make-ssl-cert" creates self-signed (snake oil) certificates which use the Signature Algorithm "sha1WithRSAEncryption". This has been fine for the last few years, but there are some recently changes that warrant using SHA2-based algorithms in the future.
The first is that NIST SP800-57 rev 3 (July 2012) dictates that algorithms that have a "Security-strength" of less than 112 bits (see Table 4) are Disallowed from 2014 ownards:
SHA1 falls with-in this scenario, as it is considered to have only 80 bits of security.
If Debian is to be used in institutions that follow NIST standards, it needs to follow this regulation, and not use SHA1.
The second item is that Mircosoft has published a depreciation policy for the use of SHA1 in SSL and code signing certificates, disallowing their used starting in 2016:
While 2016 appears to be a long way off, given the time periods between Debian releases (and some derivative distributions), I ask that the "make-ssl-cert" script be updated as follows:
--- /usr/sbin/make-ssl-cert 2012-08-26 13:49:40.000000000 -0400
+++ make-ssl-cert.new 2013-12-27 14:34:40.979406380 -0500
@@ -100,7 +100,7 @@
# create the certificate.
if [ "$1" != "generate-default-snakeoil" ]; then
- if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes \
+ if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
-out $output -keyout $output > $TMPOUT 2>&1
echo Could not create certificate. Openssl output was: >&2
This would cause generated certificates to use the "sha256WithRSAEncryption" Signature Alogirthm. Most browsers support SHA-256, even quite old versions of Internet Explorer with the proper patches installed on the base OS:
It would probably be sufficient to get this change into sid and jessie; backporting it to wheezy could be considered at a later time depending on when jessie is actually released and how long wheezy will be support (only 2015 or into 2016).
By doing this update now, there will hopefully be greater opportunity for testing of web browsers, as well as other software that uses SSL (Java, cURL, etc.), with SHA2-based algorithms.
Other options are SHA-384 (sha384WithRSAEncryption) and SHA-512 (sha512WithRSAEncryption):
$ openssl dgst -help 2>&1 | grep sha
-sha to use the sha message digest algorithm
-sha1 to use the sha1 message digest algorithm
-sha224 to use the sha224 message digest algorithm
-sha256 to use the sha256 message digest algorithm
-sha384 to use the sha384 message digest algorithm
-sha512 to use the sha512 message digest algorithm
I classified this bug as "normal" as it will have operation impact, though I can see it being thought of "wishlist" as well since that impact will be in the future.
-- System Information:
Debian Release: 7.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.10.9 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages ssl-cert depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii openssl 1.0.1e-2
ssl-cert recommends no packages.
Versions of packages ssl-cert suggests:
pn openssl-blacklist <none>
-- debconf information excluded