191156 – [Apache] Self-signed SSL certificate RSA key is considered too weak

Bug 191156 - [Apache] Self-signed SSL certificate RSA key is considered too weak

Summary: [Apache] Self-signed SSL certificate RSA key is considered too weak

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Tools / Tests (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Philippe Normand

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-11-01 10:15 PDT by Philippe Normand
Modified:	2018-11-02 03:05 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (8.09 KB, patch) 2018-11-01 10:20 PDT, Philippe Normand	no flags	Details \| Formatted Diff \| Diff
Patch (5.71 KB, patch) 2018-11-01 11:55 PDT, Philippe Normand	no flags	Details \| Formatted Diff \| Diff
Patch (6.88 KB, patch) 2018-11-01 12:15 PDT, Philippe Normand	no flags	Details \| Formatted Diff \| Diff
Patch (9.60 KB, patch) 2018-11-01 12:18 PDT, Philippe Normand	mcatanzaro: review+	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philippe Normand 2018-11-01 10:15:06 PDT

New versions of OpenSSL (1.1.2 here on Debian Testing) reject RSA 1024 now.

Comment 1 Philippe Normand 2018-11-01 10:20:07 PDT

Created attachment 353613 [details]
Patch

Comment 2 Michael Catanzaro 2018-11-01 10:47:27 PDT

Comment on attachment 353613 [details]
Patch

Good thing the Apple bots can't handle the SSLCertificateKeyFile arg, or this would have been too easy. :(

Why did you need to add that? Does Apache refuse to load the new private key out of the same PEM file as the certificate for some reason?

Comment 3 Philippe Normand 2018-11-01 11:55:32 PDT

Created attachment 353625 [details]
Patch

Comment 4 Philippe Normand 2018-11-01 12:15:39 PDT

Created attachment 353629 [details]
Patch

Comment 5 Philippe Normand 2018-11-01 12:18:42 PDT

Created attachment 353632 [details]
Patch

Comment 6 Michael Catanzaro 2018-11-01 12:19:59 PDT

Comment on attachment 353632 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=353632&action=review

Wait for EWS please.

> Tools/Scripts/webkitpy/common/system/pemfile.py:94
> -RSA_PRIVATE_KEY = "RSA PRIVATE KEY"
> +RSA_PRIVATE_KEY = "PRIVATE KEY"

Hm, I wonder why this is needed?

You should also rename the variable RSA_PRIVATE_KEY to PRIVATE_KEY.

Comment 7 Philippe Normand 2018-11-01 12:38:26 PDT

(In reply to Michael Catanzaro from comment #6)
> Comment on attachment 353632 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=353632&action=review
> 
> Wait for EWS please.

I don't plan to land this before tomorrow...

> 
> > Tools/Scripts/webkitpy/common/system/pemfile.py:94
> > -RSA_PRIVATE_KEY = "RSA PRIVATE KEY"
> > +RSA_PRIVATE_KEY = "PRIVATE KEY"
> 
> Hm, I wonder why this is needed?
> 

Because if you check the diff, "RSA" is gone from the pem file.
 
> You should also rename the variable RSA_PRIVATE_KEY to PRIVATE_KEY.

Sure!

Comment 8 Michael Catanzaro 2018-11-01 20:32:25 PDT

All green!

Comment 9 Philippe Normand 2018-11-02 03:04:46 PDT

Committed r237727: <https://trac.webkit.org/changeset/237727>

Comment 10 Radar WebKit Bug Importer 2018-11-02 03:05:26 PDT

<rdar://problem/45758148>