----- Original Message -----
> From: "Joe Orton" <jorton@xxxxxxxxxx>
> To: security@xxxxxxxxxxxxxxxxxxxxxxx
> Sent: Monday, 28 April, 2014 10:39:09 AM
> Subject: Re: [Secure Coding] master: RPM packaging: X.509 key pair generation (95c2976)
>
> On Fri, Apr 25, 2014 at 02:33:43PM +0000, fweimer@xxxxxxxxxxxxxxxxx wrote:
> > + if ! test -e %{tlscert} ; then
> > + cn="Automatically generated certificate for the %{tlsuser} service"
> > + openssl req -new -x509 -extensions usr_cert \
> > + -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
>
> We also pass here:
>
> -serial $RANDOM -sha256
>
> in the mod_ssl %post, possibly recommend these also? We had a couple of
> user complaints when the serial number wasn't set; not a big issue but
> simple to work around.
>
> I'm not sure whether current OpenSSL is using a SHA256 hash by default
> already, that part might be redundant.
It should use SHA256 be default, but that's irrelevant for self signed
certificates. They have the same threat model as CA trust anchors,
either you trust them as is or you don't, the signature is essentially
just a checksum.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario@xxxxxxxxxx
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
