ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0015981 | ClearOS | app-certificate-manager - Certificate Manager | public | 2017-08-05 06:52 | 2017-09-13 12:09 |
|
| Reporter | NickH | |
| Assigned To | user2 | |
| Priority | normal | Severity | tweak | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | 7.3.1 | |
| Target Version | 7.4.0 Beta 1 | Fixed in Version | 7.4.0 Beta 1 | |
|
| Summary | 0015981: ClearOS Certificates need to use subjectAlternativeName |
| Description | Please see https://www.clearos.com/clearfoundation/social/community/self-signed-certificate-generated-by-clearos-is-not-chrome-58-compliant [^] and https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/ [^]
It looks like from Chrome 58+, Chrome will not accept certificates without the subjectAlternativeName. This will mean you cannot use Chrome on the Webconfig, and presumably, for access to ClearOS hosted websites using self-signed certificates.
I am not sure which Category to file the bug against as it will affect both the Webconfig and Web Server
At the same time it may be an idea to change the certificates from sha1 to sha256 |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2017-08-05 06:52 | NickH | New Issue | |
| 2017-08-05 12:42 | NickH | Note Added: 0006051 | |
| 2017-08-05 13:40 | user2 | Category | app-base - Base System => app-certificate-manager - Certificate Manager |
| 2017-08-05 13:41 | user2 | Status | new => confirmed |
| 2017-08-05 14:42 | user2 | Assigned To | => user2 |
| 2017-08-05 14:42 | user2 | Status | confirmed => assigned |
| 2017-08-05 14:43 | user2 | Severity | minor => tweak |
| 2017-08-05 15:00 | user2 | Note Added: 0006071 | |
| 2017-08-05 15:06 | NickH | Note Added: 0006081 | |
| 2017-08-05 15:08 | user2 | Note Added: 0006091 | |
| 2017-08-12 06:54 | user2 | Target Version | => 7.4.0 Beta 1 |
| 2017-08-18 10:02 | user2 | Target Version | 7.4.0 Beta 1 => 7.4.0 Updates |
| 2017-09-13 09:39 | user2 | Target Version | 7.4.0 Updates => 7.4.0 Beta 1 |
| 2017-09-13 09:39 | user2 | Note Added: 0006451 | |
| 2017-09-13 09:39 | user2 | Status | assigned => resolved |
| 2017-09-13 09:39 | user2 | Fixed in Version | => 7.4.0 Beta 1 |
| 2017-09-13 09:39 | user2 | Resolution | open => fixed |
| 2017-09-13 12:09 | user2 | Status | resolved => closed |
|
Notes |
|
|
(0006051)
|
|
NickH
|
|
2017-08-05 12:42
|
|
|
In fact the /etc/pki/tls/certs/localhost.crt certificate is already sha256 but only 1024 bit. The sys-0-cert is 2048 bit but sha1. How about aiming for at least 2048 bit and sha256 across the board as a minimum? |
|
|
|
(0006071)
|
|
user2
|
|
2017-08-05 15:00
|
|
The localhost.crt is the default created by upstream, so we usually leave it alone (i.e. follow upstream).
The default config was changed to SHA256 in ClearOS 7, but I believe SHA1 was kept around in one spot for legacy reasons. There was a review done prior to the release of ClearOS 7 - https://tracker.clearos.com/view.php?id=1862 [^] I added a new tracker to do another review for ClearOS 7.4 - 0015991 I doubt will hit that release target, but at least it's now back on the radar. |
|
|
|
(0006081)
|
|
NickH
|
|
2017-08-05 15:06
|
|
|
My bad on localhost.crt and sys-0-cert as I upgraded by doing a 6.x backup into a 7.x restore so my certificates do not reflect a vanilla 7.x |
|
|
|
(0006091)
|
|
user2
|
|
2017-08-05 15:08
|
|
|
No worries. It's still worth doing a new review! |
|
|
|
(0006451)
|
|
user2
|
|
2017-09-13 09:39
|
|
|