----- Original Message ----- > From: "Joe Orton" <[email protected]> > To: [email protected] > Sent: Monday, 28 April, 2014 10:39:09 AM > Subject: Re: [Secure Coding] master: RPM packaging: X.509 key pair generation > (95c2976) > > On Fri, Apr 25, 2014 at 02:33:43PM +0000, [email protected] wrote: > > + if ! test -e %{tlscert} ; then > > + cn="Automatically generated certificate for the %{tlsuser} service" > > + openssl req -new -x509 -extensions usr_cert \ > > + -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/" > > We also pass here: > > -serial $RANDOM -sha256 > > in the mod_ssl %post, possibly recommend these also? We had a couple of > user complaints when the serial number wasn't set; not a big issue but > simple to work around. > > I'm not sure whether current OpenSSL is using a SHA256 hash by default > already, that part might be redundant.
It should use SHA256 be default, but that's irrelevant for self signed certificates. They have the same threat model as CA trust anchors, either you trust them as is or you don't, the signature is essentially just a checksum. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/security
