GNOME Bugzilla – Bug 745588
Update intermediate certificates to use SHA2 hash
Last modified: 2015-03-18 16:39:30 UTC
https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know The current *.gnome.org certificates makes use of SHA1 for: - the actual certificate - the intermediate certificates I think we should start replacing the intermediate certificates: https://www.startssl.com/certs/ https://www.startssl.com/certs/class2/sha2/ (seems like it) We're pretty good according to SSLLabs, just need to fix the hash: https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.gnome.org
To do this, make sure you use the openssl req -sha256 command (-sha256 is undocumented) when generating the CSR.
I'd wait existing certificates to expire as: 1. Revoking them has a cost 2. I should renew the organization class 2 identity as it expired recently and we can't issue any new certificate until that is sorted out. I'll deal with it soon. 3. This also reminds me we should update GNOME Foundation's address and state on the certificates as we moved from Boston, MA to Orinda, CA. I'll move this ticket ahead with point 2. first as that'll take a bit to be processed and verified.
But you can change the intermediate certificate, no? The server provides multiple: 1. Our certificate (*.gnome.org) 2. The intermediate certificates I'm talking about #2. So keep our *.gnome.org as sha1, change the intermediates to sha2.
Yes, we can certainly do that, updated the proxies and bugzilla. Will process all the services within tomorrow. https://infrastructure.gnome.org/browse/puppet/commit/?id=f44b02e3c6e0df561eb6e60ac9312c0df4eb7052
Awesome! I checked bugzilla and ssllabs now shows the SHA2 ones. It also checks that this works with various clients. Seems to work fine.
I moved this forward and now all the major GNOME services are using a SHA2 certificate both for the server and for the intermediate certificates. Also made sure the new Foundation's address is being used on those.