Project

General

Profile

Actions
Copy link

Bug #905

closed

OpenVPN certificate manager uses incorrect key length

Added by Jim Pingle over 13 years ago. Updated over 13 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
2.0
Start date:
09/19/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

Submitted to me via e-mail from "warhol" when the DB was having issues:

Problem: Cert Manager only produces 1024bit certs,
no matter what key size is selected.

As discussed on #pfsense, a short bug report.
Last checked on: Snapshot from Sun Sep 19 01:32:51 UTC 2010 (amd64), full inst
Also checked on: earlier snapshots on embedded i386

How to reproduce:
Go to System -> Cert Manager, CAs tab, add a new CA, chose "internal CA".
Chose a key length other than 1024 (2048 is even pre-selected).
(Same game when creating an internal certificate on the Certificates tab.)

Then download the produced cert and check its details.
I use certtool from the GnuTLS project on linux:

cat test4096.crt | certtool -i

and find the following lines every time:

        Subject Public Key Algorithm: RSA
                Modulus (bits 1024):

I had produced 2048bit certs at work before with xca and tinyca,
and confirmed they show up as "bits 2048" in certtool accordingly.
So assume the Cert Manager on pfsense just ignored the key length setting.

Actions
Copy link
 #1

Updated by Jim Pingle over 13 years ago

This can also be verified by using standard OpenSSL commands:

$  openssl rsa -noout -text -in CA4096.key
Private-Key: (1024 bit)
[...]
$ openssl x509 -noout -text -in CA4096.crt 
[...]
RSA Public Key: (1024 bit)
    Modulus (1024 bit):

We do appear to be passing the correct parameters to openssl_csr_new() and openssl_csr_sign(), and casting with (int) as recommended in the PHP docs (http://php.net/manual/en/function.openssl-csr-new.php), but what we get back is always 1024. It will need some more experimentation to narrow down.

Actions
Copy link
 #2

Updated by Jim Pingle over 13 years ago

Looks like the key length wasn't also being passed to openssl_pkey_new. I'll be committing a fix shortly.

Actions
Copy link
 #3

Updated by Jim Pingle over 13 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Andreas Bochem over 13 years ago

Confirm certs are now created with the correct key length as chosen in the gui.
Tested on Snapshot from Fri Oct 1 07:58:19 UTC 2010, amd64, full install.

Actions
Copy link
 #5

Updated by Jim Pingle over 13 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF