After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 745588 - Update intermediate certificates to use SHA2 hash
Update intermediate certificates to use SHA2 hash
Status: RESOLVED FIXED
Product: sysadmin
Classification: Infrastructure
Component: Other
unspecified
Other All
: Normal normal
: ---
Assigned To: Andrea Veri
GNOME Sysadmins
Depends on:
Blocks:
 
 
Reported: 2015-03-04 10:11 UTC by Olav Vitters
Modified: 2015-03-18 16:39 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Olav Vitters 2015-03-04 10:11:05 UTC
https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

The current *.gnome.org certificates makes use of SHA1 for:
- the actual certificate
- the intermediate certificates

I think we should start replacing the intermediate certificates:
https://www.startssl.com/certs/
https://www.startssl.com/certs/class2/sha2/ (seems like it)

We're pretty good according to SSLLabs, just need to fix the hash:
https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.gnome.org
Comment 1 Patrick Uiterwijk 2015-03-04 10:18:47 UTC
To do this, make sure you use the openssl req -sha256 command (-sha256 is undocumented) when generating the CSR.
Comment 2 Andrea Veri 2015-03-04 17:29:20 UTC
I'd wait existing certificates to expire as:

1. Revoking them has a cost
2. I should renew the organization class 2 identity as it expired recently and we can't issue any new certificate until that is sorted out. I'll deal with it soon.
3. This also reminds me we should update GNOME Foundation's address and state on the certificates as we moved from Boston, MA to Orinda, CA.

I'll move this ticket ahead with point 2. first as that'll take a bit to be processed and verified.
Comment 3 Olav Vitters 2015-03-05 08:40:37 UTC
But you can change the intermediate certificate, no?

The server provides multiple:
1. Our certificate (*.gnome.org)
2. The intermediate certificates

I'm talking about #2. So keep our *.gnome.org as sha1, change the intermediates to sha2.
Comment 4 Andrea Veri 2015-03-05 15:47:38 UTC
Yes, we can certainly do that, updated the proxies and bugzilla. Will process all the services within tomorrow.

https://infrastructure.gnome.org/browse/puppet/commit/?id=f44b02e3c6e0df561eb6e60ac9312c0df4eb7052
Comment 5 Olav Vitters 2015-03-06 08:44:30 UTC
Awesome! I checked bugzilla and ssllabs now shows the SHA2 ones. It also checks that this works with various clients. Seems to work fine.
Comment 6 Andrea Veri 2015-03-18 16:39:30 UTC
I moved this forward and now all the major GNOME services are using a SHA2 certificate both for the server and for the intermediate certificates. Also made sure the new Foundation's address is being used on those.