Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use 2048-bit RSA key to make pixelserv-tls work on Debian 10 "Buster" #28

Open
emeidi opened this issue Jul 19, 2019 · 2 comments

Comments

@emeidi
Copy link

commented Jul 19, 2019

I recently upgraded to Debian 10 "Buster" and pixelserv-tls wouldn't work anymore.

The cryptic error messages in the log (debug level 4) read:

create_child_sslctx: cannot find or use $CERTDIR/_.google-analytics.com
tls_clienthello_cb: fail to create sslctx or cache _.google-analytics.com

After hacking around in cert.c and making the real SSL error messages appear if SSL_CTX_use_certificate_file or SSL_CTX_use_PrivateKey_file failed ...

...
    if(!SSL_CTX_use_certificate_file(sslctx, full_pem_path, SSL_FILETYPE_PEM)) {
        log_msg(LGG_ERR, "%s: SSL_CTX_use_certificate_file error for file %s with error %s\n", __FUNCTION__, full_pem_path, ERR_error_string( ERR_get_error(), NULL ));
    }
    if(!SSL_CTX_use_PrivateKey_file(sslctx, full_pem_path, SSL_FILETYPE_PEM)) {
        log_msg(LGG_ERR, "%s: SSL_CTX_use_PrivateKey_file error for file %s with error %s\n", __FUNCTION__, full_pem_path, ERR_error_string( ERR_get_error(), NULL ));
    }
...

I received the following error:

routines:SSL_CTX_use_certificate:ee key too small

which lead me to improve my ca.key generation line in my setup script to

openssl genrsa -out $CERTDIR/ca.key 2048

Unfortunately, the error wouldn't go away. I then realized that the key length is also hardcoded in cert.c:

...
if (RSA_generate_key_ex(rsa, 1024, e, NULL) < 0)
...

Once I changed this to 2048, everything is working fine again.

Thanks for patching

@jrmwvu04

This comment has been minimized.

Copy link

commented Aug 24, 2019

Just to add this is also going to be an issue for macOS 10.15 and iOS 13 clients due to new enforcement rules.

https://support.apple.com/en-us/HT210176

"TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS."

@jackyaz jackyaz referenced this issue Aug 24, 2019
@jackyaz

This comment has been minimized.

Copy link

commented Aug 25, 2019

I've had a go at patching the source to be Apple compliant:

jackyaz@0c13cd3
jackyaz@77c5fbe

I'll PR after I've had feedback from testers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.