Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA certificate not up to date #661

Closed
sileht opened this issue Aug 14, 2019 · 4 comments · Fixed by #662
Closed

CA certificate not up to date #661

sileht opened this issue Aug 14, 2019 · 4 comments · Fixed by #662
Assignees
@jamesdbloom
Labels
need_more_information

Comments

@sileht
Copy link
Contributor

sileht commented Aug 14, 2019

Hi,

I have recently updated some system to debian buster that now uses openssl 1.1.1. and the mockserver ssl certificat is no more valid.

rsa key must be 2048bit long.

While the mockserver CA SSL certificat looks good. The certificate built on the fly for custom domain looks have only 1024bit.

$ curl --cacert mockserver-ca.pem https://www.example.com
curl: (60) SSL certificate problem: EE certificate key too weak
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

$ openssl s_client -CAfile mockserver-ca.pem -connect www.example.com:443
CONNECTED(00000003)
depth=0 CN = www.example.com, O = MockServer, L = London, ST = England, C = UK
verify error:num=66:EE certificate key too weak
verify return:1
depth=1 CN = www.mockserver.com, O = MockServer, L = London, ST = England, C = UK
verify return:1
depth=0 CN = www.example.com, O = MockServer, L = London, ST = England, C = UK
verify return:1

...

---
SSL handshake has read 2105 bytes and written 436 bytes
Verification error: EE certificate key too weak
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 1024 bit

Regards,
sileht pushed a commit to sileht/mockserver that referenced this issue Aug 14, 2019
ssl: generates 2048 RSA key
66ed31a 
Openssl 1.1.1 does not considere 1024bit RSA key as secure.

So this changes the generate key size to 2048

Closes: mock-server#661
@sileht sileht mentioned this issue Aug 14, 2019
Merged
sileht pushed a commit to sileht/mockserver that referenced this issue Aug 14, 2019
ssl: generates 2048 RSA key
719264d 
Openssl 1.1.1 does not considere 1024bit RSA key as secure.

So this changes the generate key size to 2048

Closes: mock-server#661
sileht pushed a commit to sileht/mockserver that referenced this issue Aug 14, 2019
ssl: generates 2048 RSA key
413d4d8 
Openssl 1.1.1 does not considere 1024bit RSA key as secure.

So this patch changes the generated key size to 2048

Closes: mock-server#661
jamesdbloom pushed a commit that referenced this issue Sep 24, 2019
@jamesdbloom
ssl: generates 2048 RSA key
7aaab86 
Openssl 1.1.1 does not considere 1024bit RSA key as secure.

So this patch changes the generated key size to 2048

Closes: #661
@taron-dev
Copy link

Files https://github.com/mock-server/mockserver/tree/master/mockserver-core/src/main/resources/org/mockserver/socket is not up to date. I am getting ERR_CERT_WEAK_KEY

@jamesdbloom
Copy link
Collaborator

I will update these files prior to doing the next release otherwise I'll break the current released version of MockServer. The new release will include new logic to generate certificates that don't rely on the good but massively over-bloated bouncy castle. I've added a note to this backlog item to update the certs https://trello.com/c/tsJDyFuy/80-replace-bouncy-castle-with-java-8-jdk-approach-for-dynamic-certs

@jamesdbloom jamesdbloom changed the title ssl certificat too weak CA certificate not up to date Jan 3, 2020
@jamesdbloom jamesdbloom reopened this Jan 3, 2020
@jamesdbloom jamesdbloom self-assigned this Jan 3, 2020
@jamesdbloom jamesdbloom added the bug label Jan 3, 2020
@jamesdbloom
Copy link
Collaborator

@ondro2208 actually I was wrong those files don't need to be updated, can you provide more detail on your ERR_CERT_WEAK_KEY, which cert, what tool if giving you that, what is the full error output, etc

@jamesdbloom
Copy link
Collaborator

jamesdbloom commented Jan 31, 2020
edited
Loading

I'm closing the issue as I can't reproduce on the current codebase. In addition in the new release that will be completed and release as soon as the final TLS documentation is updated, there have been extensive updates to the TLS logic. The following features have been added:

  • dynamically create local CA X509 (instead of using fixed CA in git repo) - only enabled via configuration
  • require mTLS (client authentication) for all calls to MockServer - only enabled via configuration
  • support mTLS (client authentication) for proxied requests,
  • control over which CAs to trust for proxied request - options available via configuration: no validation, using JVM trust store, use custom CA chain provide by file
  • replaced Bouncy Castle with pure JDK (saved 6MB from jar-with-dependencies and simplified code)

The first item on the list allows the CA X509 to be dynamically generated and saved in a specified directory (which is reused as long as the file is present in the specified directory).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jamesdbloom jamesdbloom

Labels
need_more_information
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ssl: generates 2048 RSA key sileht/mockserver
3 participants
@sileht @jamesdbloom @taron-dev