Subject: CAcert Code Development list.
List archive
- From: Wytze van der Raay <wytze AT cacert.org>
- To: Michael Tänzer <michael.taenzer AT cacert.org>
- Cc: "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org, Benny Baumann <benbe AT cacert.org>, Marcus Mängel <inopiae AT cacert.org>, Eva Stöwe <eva.stoewe AT cacert.org>, Martin Gummi <martin.gummi AT cacert.org>
- Subject: Re: Patch request: Bug #1237
- Date: Wed, 15 Jan 2014 16:29:10 +0100
- Organization: CAcert
Hi Michael,
On 14.01.2014 23:55, Michael Tänzer wrote:
> We have a fix for https://bugs.cacert.org/view.php?id=1237
> "Certificates should be issued using sha512WithRSAEncryption for signatures"
>
> The fix was reviewed by Benny Baumann (BenBE) and me (NEOatNHNG) and
> tested by Martin Gummi, Eva Stöwe (Eva) and Marcus Mängel (INOPIAE).
>
> Diff is attached.
>
> Important
> =========
> Before applying the patch please execute the following SQL statements on
> the cacert database:
>
> ALTER TABLE `domaincerts` ALTER `md` SET DEFAULT 'sha512';
> ALTER TABLE `emailcerts` ALTER `md` SET DEFAULT 'sha512';
> ALTER TABLE `orgdomaincerts` ALTER `md` SET DEFAULT 'sha512';
> ALTER TABLE `orgemailcerts` ALTER `md` SET DEFAULT 'sha512';
>
> Then apply the patch and afterwards restart the CommModule
>
>
> Changed files:
> /CommModule/client.pl
The patch has been installed on the production server on January 15, 2014.
After enabling the fix, the database defaults have been altered as instructed
(different sequence as requested in a follow-up message):
mysql> ALTER TABLE `domaincerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.16 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE `emailcerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.10 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE `orgdomaincerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.07 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE `orgemailcerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.07 sec)
Records: 0 Duplicates: 0 Warnings: 0
See also the attached log message.
Regards,
-- wytze
--- Begin Message ---Fix for https://bugs.cacert.org/view.php?id=1237
- From: Wytze van der Raay <wytze AT cacert.org>
- To: cacert-systemlog AT lists.cacert.org
- Subject: Fwd: cvs.cacert.org checkin notification
- Date: Wed, 15 Jan 2014 16:24:21 +0100
- Organization: CAcert
"Certificates should be issued using sha512WithRSAEncryption for signatures"
After installing and enabling this fix,
the database default settings have been adjusted like this:
mysql> ALTER TABLE `domaincerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.16 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE `emailcerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.10 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE `orgdomaincerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.07 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> ALTER TABLE `orgemailcerts` ALTER `md` SET DEFAULT 'sha512';
Query OK, 0 rows affected (0.07 sec)
Records: 0 Duplicates: 0 Warnings: 0
In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php
-- end
--- Begin Message ---
- From: "root" <root AT cvs.cacert.org>
- To: critical-admin AT cacert.org
- Subject: cvs.cacert.org checkin notification
- Date: Wed, 15 Jan 2014 16:22:09 +0100 (CET)
uid=0(root) gid=0(root) groups=0(root)
client.pl 1.25 1.26
Wed Jan 15 16:22:09 CET 2014
Update of /var/lib/cvs/cacert/CommModule
In directory webdb:/home/cacert/www/CommModule
Modified Files:
client.pl
Log Message:
Fix for https://bugs.cacert.org/view.php?id=1237
"Certificates should be issued using sha512WithRSAEncryption for signatures"
===================================================================
RCS file: /var/lib/cvs/cacert/CommModule/client.pl,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- client.pl 2012/01/24 14:24:27 1.25
+++ client.pl 2014/01/15 15:22:09 1.26
@@ -834,8 +834,15 @@
my $days=$org?($server?(365*2):365):calculateDays($row{"memid"});
+ my $md_id = 0;
+ $md_id = 1 if( $row{'md'} eq "md5");
+ $md_id = 2 if( $row{'md'} eq "sha1");
+ $md_id = 3 if( $row{'md'} eq "rmd160");
+ $md_id = 8 if( $row{'md'} eq "sha256");
+ $md_id = 9 if( $row{'md'} eq "sha384");
+ $md_id =10 if( $row{'md'} eq "sha512");
-
$crt=Request($ver,1,1,$row{'rootcert'}-1,$profile,$row{'md'}eq"sha1"?2:0,$days,$row{'keytype'}eq"NS"?1:0,$content,$SAN,$subject);
+
$crt=Request($ver,1,1,$row{'rootcert'}-1,$profile,$md_id,$days,$row{'keytype'}eq"NS"?1:0,$content,$SAN,$subject);
if(length($crt))
{
if($crt=~m/^-----BEGIN CERTIFICATE-----/)
--- End Message ---Attachment: smime.p7s
Description: S/MIME Cryptographic Signature
--- End Message ---
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Patch request: Bug #1237, Michael Tänzer, 01/14/2014
- Re: Patch request: Bug #1237, Michael Tänzer, 01/14/2014
- Re: Patch request: Bug #1237, Wytze van der Raay, 01/15/2014
- Re: Patch request: Bug #1237, Wytze van der Raay, 01/15/2014
- Re: Patch request: Bug #1237, Michael Tänzer, 01/14/2014
Archive powered by MHonArc 2.6.18.