ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015981ClearOSapp-certificate-manager - Certificate Managerpublic2017-08-05 06:522017-09-13 12:09
ReporterNickH 
Assigned Topbaldwin 
PrioritynormalSeveritytweakReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.3.1 
Target Version7.4.0 Beta 1Fixed in Version7.4.0 Beta 1 
Summary0015981: ClearOS Certificates need to use subjectAlternativeName
DescriptionPlease see https://www.clearos.com/clearfoundation/social/community/self-signed-certificate-generated-by-clearos-is-not-chrome-58-compliant [^] and https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/ [^]

It looks like from Chrome 58+, Chrome will not accept certificates without the subjectAlternativeName. This will mean you cannot use Chrome on the Webconfig, and presumably, for access to ClearOS hosted websites using self-signed certificates.

I am not sure which Category to file the bug against as it will affect both the Webconfig and Web Server

At the same time it may be an idea to change the certificates from sha1 to sha256
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0006051)
NickH (reporter)
2017-08-05 12:42

In fact the /etc/pki/tls/certs/localhost.crt certificate is already sha256 but only 1024 bit. The sys-0-cert is 2048 bit but sha1. How about aiming for at least 2048 bit and sha256 across the board as a minimum?
(0006071)
pbaldwin (administrator)
2017-08-05 15:00

The localhost.crt is the default created by upstream, so we usually leave it alone (i.e. follow upstream).

The default config was changed to SHA256 in ClearOS 7, but I believe SHA1 was kept around in one spot for legacy reasons. There was a review done prior to the release of ClearOS 7 - https://tracker.clearos.com/view.php?id=1862 [^] I added a new tracker to do another review for ClearOS 7.4 - 0015991 I doubt will hit that release target, but at least it's now back on the radar.
(0006081)
NickH (reporter)
2017-08-05 15:06

My bad on localhost.crt and sys-0-cert as I upgraded by doing a 6.x backup into a 7.x restore so my certificates do not reflect a vanilla 7.x
(0006091)
pbaldwin (administrator)
2017-08-05 15:08

No worries. It's still worth doing a new review!
(0006451)
pbaldwin (administrator)
2017-09-13 09:39

https://github.com/clearos/app-certificate-manager/commit/6bee865ab5812d85ab5e7fbe493042121dbfec9e [^]

- Issue History
Date Modified Username Field Change
2017-08-05 06:52 NickH New Issue
2017-08-05 12:42 NickH Note Added: 0006051
2017-08-05 13:40 pbaldwin Category app-base - Base System => app-certificate-manager - Certificate Manager
2017-08-05 13:41 pbaldwin Status new => confirmed
2017-08-05 14:42 pbaldwin Assigned To => pbaldwin
2017-08-05 14:42 pbaldwin Status confirmed => assigned
2017-08-05 14:43 pbaldwin Severity minor => tweak
2017-08-05 15:00 pbaldwin Note Added: 0006071
2017-08-05 15:06 NickH Note Added: 0006081
2017-08-05 15:08 pbaldwin Note Added: 0006091
2017-08-12 06:54 pbaldwin Target Version => 7.4.0 Beta 1
2017-08-18 10:02 pbaldwin Target Version 7.4.0 Beta 1 => 7.4.0 Updates
2017-09-13 09:39 pbaldwin Target Version 7.4.0 Updates => 7.4.0 Beta 1
2017-09-13 09:39 pbaldwin Note Added: 0006451
2017-09-13 09:39 pbaldwin Status assigned => resolved
2017-09-13 09:39 pbaldwin Fixed in Version => 7.4.0 Beta 1
2017-09-13 09:39 pbaldwin Resolution open => fixed
2017-09-13 12:09 pbaldwin Status resolved => closed