Project

General

Profile

Actions

Regression #14678

closed

CA and Certificate renewal page does not properly list some SHA1 certificates as being weak

Added by Jim Pingle 11 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:

Description

Noticed this when working on other OpenSSL changes, but some certificates are not being flagged by the renewal page as being weak. The "Would change" column says "No" when it should say "Yes". The most obvious example here is one with a digest listed as "RSA-SHA1". It's being converted to lowercase but the list it's being checked against is mixed case.

This can also affect the renewal process.

I'm fixing this along with other changes for #14672 and #14677


Files

clipboard-202308130917-dcyaf.png (4.61 KB) clipboard-202308130917-dcyaf.png aleksei prokofiev, 08/13/2023 06:17 AM
clipboard-202308140817-ouwpr.png (22.9 KB) clipboard-202308140817-ouwpr.png Jim Pingle, 08/14/2023 12:17 PM
clipboard-202308140818-jbf8s.png (38.2 KB) clipboard-202308140818-jbf8s.png Jim Pingle, 08/14/2023 12:18 PM
Actions #1

Updated by Jim Pingle 11 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by aleksei prokofiev 11 months ago

Tested this patch on 23.05.1 and 2.7.0
After apply the patch the the cert marks as Weak Digest

Actions #3

Updated by Jim Pingle 11 months ago

aleksei prokofiev wrote in #note-2:

Tested this patch on 23.05.1 and 2.7.0
After apply the patch the the cert marks as Weak Digest

That's not the location this bug is talking about. This would be after clicking the renew action icon:

And then it would be this field at the bottom of the renewal page:

Actions #4

Updated by Jim Pingle 11 months ago

  • Subject changed from CA/Cert renew page is not properly listing some SHA1 certificates as being weak to CA and Certificate renewal page does not properly list some SHA1 certificates as being weak

Updating subject for release notes.

Actions #5

Updated by aleksei prokofiev 11 months ago

I can confirm that it is working as expected. Tested patch on 23.05.1 and 2.7.0

Actions #6

Updated by aleksei prokofiev 11 months ago

Also can confirm on 23.09

23.09-DEVELOPMENT (amd64)
built on Fri Aug 18 17:49:48 UTC 2023
FreeBSD 14.0-ALPHA1

Actions #7

Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved
Actions #8

Updated by Jim Pingle 9 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF