Webmin/Virtualmin's SSL certificate on port 10000 is considered too weak at only 512 bits.

A PCI scan revealed that Virtualmin's port's SSL certificate is too weak at only 512 bits. Some browsers such as internet explorer will flag the certificate as too weak, and not let you use virtualmin, according to the scan. The stackoverflow article (http://stackoverflow.com/questions/589834/what-rsa-key-length-should-i-u...) shows that current best practices are RSA keys of at least 2048 bits. I'd prefer everyone move to elliptic curve cryptography, but basically nothing supports it yet.

Would it make sense to release a new virtualmin rpm that replaces everyone's pitiful 512bit key unless they haven't already done so themselves? It might be possible to bruteforce the wimpy 512 bit key these days with decent server with a bunch of GPUs in it.

Bizarrely Webmin has a feature to replace its default insecure 512bit key with a newer 2048 bit key. You can do this at Webmin -> Webmin Configuration -> SSL Encryption -> Self-signed Certificate. Oddly enough the default is the recommended 2048 bits, but if that's the default here, why doesn't Virtualmin install with a default self-signed key of 512bits? I have used that page to create a new 2048 bit key to replace the default insecure 512 bit key.

Thanks, Dave.

Status: 
Closed (fixed)

Comments

Yes, the default has been 2048 bits for a few version now. However, I'm not sure if it is a good idea to automatically replace any 512 bit keys with a larger size at install time - that seems like the kind of thing that might annoy sysadmins and maybe cause browser SSL cert warnings.

I think a better option is to display a warning if the cert is too small, and prompt the user to re-generate a larger one.

Yeah, a warning is probably the better way to go. It'd be nice if it gave a link to the right page to do it.

I have the firefox plugin certificate patrol installed, the monitors changes in SSL certs to detect MITM attacks, and it flagged the new cert when I changed mine.

Ok, I have implemented a warning like this for inclusion in the 3.97 Virtualmin release.

Ok, that should fix this bug.

Automatically closed -- issue fixed for 2 weeks with no activity.