Increase Default bit length on Webmin's default self signed cert from 512 to 1024 or 2048 [#22562]

Submitted by silversword411 on Fri, 06/22/2012 - 09:14

I'm bringing this issue up because it's now causing an issue when accessing my servers from Mac Lion with Chrome installed.

The main source of my problem is from apple's recent patch: http://support.apple.com/mb/HT5281

"Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure

Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits."

It's causing a SSL warning page that can't be bypassed. Chrome is working on fixing it so that it's not a fatal error so you can bypass, but I think that's just going to be working around the issue for now. Doing a little more research on the state of crypto I found:

https://en.wikipedia.org/wiki/RSA_numbers#RSA-768

SSL has been cracked up to the 768 bit length.

Opera has also deprecated 512 bit SSL certs

http://my.opera.com/securitygroup/blog/2009/09/29/512-bit-rsa-key-breaki...

Let's move the bar, so we don't have to look at this issue again....for a while: Make the default SSL cert 1024, or 2048 bits in length. :)

Status:

Closed (fixed)

Comments

Submitted by silversword411 on Fri, 06/22/2012 - 09:43 Comment #1

Just starting to do server updates, and I see in one of my latest server under: Webmin | Webmin Configuration | SSL Encryption | Self Signed Certificate | I see RSA key size Default (2048).

However looking at the SSL certificate in use (as in the one that was created by default during install (done 1-2 months ago) of Virtualmin I see: the certificate is 512bit (screenshot attached). Must be something in the install script not using webmin's default length.

I'll leave the vm18.isointeractive.com with the old SSL cert till we have the details of this ticket finalized.

Submitted by JamieCameron on Fri, 06/22/2012 - 10:49 Comment #2

Thanks for pointing this out - the issue is that the default SSL cert created when Webmin (and Virtualmin) is installed is only 512 bits. As a work-around, you can generate a new self-signed cert with 2048 bits at Webmin -> Webmin Configuration -> SSL Encryption -> Self Signed Certificate.

The next Webmin release will create a 2048 bit key by default.

Submitted by Issues on Fri, 07/06/2012 - 11:08 Comment #3

Automatically closed -- issue fixed for 2 weeks with no activity.