[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863270: cups: https uses SHA-1 signature algorithm

Control: tags -1 +confirmed +upstream
Control: forcemerge 865649 -1

Hi Henrich, and thank you for your bugreport,

Le mercredi, 24 mai 2017, 18.26:11 h CEST Heinrich Schuchardt a écrit :
> the cups webserver on port 631 supports the https protocol.
> When browsing cups using the https protocol a certificate/key pair is
> created in /etc/cups/ssl.
> $ openssl x509 -in /etc/cups/ssl/hostname.crt -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 1495639838 (0x5925a71E)
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C = US, CN = hostname, O = hostname, OU = Unknown, ST =
>        (…)
> Using SHA-1 as signature algorithm is unsafe.
> This algorithm will not be accepted in future browser versions.

That's very much a problem yes, but upstream is aware of the problem. See 
https://github.com/apple/cups/issues/4876 for a somewhat recent discussion 
about this.

> I have no clue why the country is set to US. That is not where my system is.
> Please, remove this bogus when fixing the SHA-1 issue.

http://sources.debian.net/src/cups/2.2.4-3/cups/tls-gnutls.c/#L151 is where 
this happens; the country code is guessed from the end of your locale setting.

But all that is vain; we're talking about a self-signed certificate, which is 
not trusted (nor trustable nowadays) in modern browsers.

Finally, from a Debian maintenance point of view, I'm not going to diverge 
from upstream code on crypto.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: