Project

General

Profile

Actions

Todo #14672

closed

Prevent weak SHA1 certificates from being used with GUI and Captive Portal

Added by Jim Pingle 9 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default

Description

The nginx daemon for the GUI fails to run with a SHA1 certificate on dev snapshots using OpenSSL 3.0

The daemon logs an error and terminates:

2023/08/09 19:09:10 [emerg] 77010#100309: SSL_CTX_use_certificate("/var/etc/cert.crt") failed (SSL: error:0A00018E:SSL routines::ca md too weak)

We should either filter these certificates out of the list offered for use by the GUI and Captive Portal or trigger an input validation error when saving with one selected. This limitation should also be noted in the help text under the GUI certificate field.

We should also check on upgrade if the GUI is using such a certificate and if so, generate a new GUI certificate.

For Captive Portal it's not as clear, but since the certificate will cause the daemon to fail, we need to do something (e.g. disable portal zone and notify user)

Actions #1

Updated by Jim Pingle 9 months ago

Note this is for both the certificate itself using SHA1 or if the CA is using SHA1. Neither one can use it.

Actions #2

Updated by Jim Pingle 8 months ago

  • Subject changed from Prevent users from choosing SHA1 certificate for GUI to Prevent users from choosing SHA1 certificate for GUI and Captive Portal
  • Description updated (diff)

Added Captive Portal here since it will also fail with a SHA1 cert or CA

Actions #3

Updated by Jim Pingle 8 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 70

Adding the GUI warnings and filtering out the invalid certificate choices is now complete.

The upgrade code is the only part remaining.

Actions #4

Updated by Jim Pingle 8 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 70 to 100
Actions #5

Updated by Jim Pingle 8 months ago

  • Subject changed from Prevent users from choosing SHA1 certificate for GUI and Captive Portal to Prevent weak SHA1 certificates from being used with GUI and Captive Portal

Updating subject for release notes.

Actions #6

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to In Progress
  • % Done changed from 100 to 90

Certs that have a weak CA are still offered for use in the GUI, but rejected in the backend. The GUI filtering still needs a little work.

Actions #7

Updated by Jim Pingle 7 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 90 to 100
Actions #8

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved

The certificate lists appear to be appropriately filtered now.

Actions #9

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF