Todo #14672
closedPrevent weak SHA1 certificates from being used with GUI and Captive Portal
100%
Description
The nginx
daemon for the GUI fails to run with a SHA1 certificate on dev snapshots using OpenSSL 3.0
The daemon logs an error and terminates:
2023/08/09 19:09:10 [emerg] 77010#100309: SSL_CTX_use_certificate("/var/etc/cert.crt") failed (SSL: error:0A00018E:SSL routines::ca md too weak)
We should either filter these certificates out of the list offered for use by the GUI and Captive Portal or trigger an input validation error when saving with one selected. This limitation should also be noted in the help text under the GUI certificate field.
We should also check on upgrade if the GUI is using such a certificate and if so, generate a new GUI certificate.
For Captive Portal it's not as clear, but since the certificate will cause the daemon to fail, we need to do something (e.g. disable portal zone and notify user)
Updated by Jim Pingle over 1 year ago
Note this is for both the certificate itself using SHA1 or if the CA is using SHA1. Neither one can use it.
Updated by Jim Pingle over 1 year ago
- Subject changed from Prevent users from choosing SHA1 certificate for GUI to Prevent users from choosing SHA1 certificate for GUI and Captive Portal
- Description updated (diff)
Added Captive Portal here since it will also fail with a SHA1 cert or CA
Updated by Jim Pingle over 1 year ago
- Status changed from New to In Progress
- % Done changed from 0 to 70
Adding the GUI warnings and filtering out the invalid certificate choices is now complete.
The upgrade code is the only part remaining.
Updated by Jim Pingle over 1 year ago
- Status changed from In Progress to Feedback
- % Done changed from 70 to 100
Applied in changeset f78ae299e5ea7918478ad0cf902e169292ceb6f4.
Updated by Jim Pingle over 1 year ago
- Subject changed from Prevent users from choosing SHA1 certificate for GUI and Captive Portal to Prevent weak SHA1 certificates from being used with GUI and Captive Portal
Updating subject for release notes.
Updated by Jim Pingle over 1 year ago
- Status changed from Feedback to In Progress
- % Done changed from 100 to 90
Certs that have a weak CA are still offered for use in the GUI, but rejected in the backend. The GUI filtering still needs a little work.
Updated by Jim Pingle over 1 year ago
- Status changed from In Progress to Feedback
- % Done changed from 90 to 100
Applied in changeset ffcb42471edc6684a10e5670c89b5248de9a3038.
Updated by Jim Pingle about 1 year ago
- Status changed from Feedback to Resolved
The certificate lists appear to be appropriately filtered now.
Updated by Jim Pingle about 1 year ago
- Target version changed from 2.8.0 to 2.7.1