Project

General

Profile

Feature #62655

Add support for ECDSA private keys and parsing certificate attributes

Added by J P over 1 year ago. Updated over 1 year ago.

Status:
Ready for Testing
Priority:
No priority
Assignee:
Waqar Ahmed
Category:
Middleware
Target version:
Estimated time:
Severity:
High
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
Tags:

Description

I would like to to use an ECDSA key pair instead of RSA for HTTPS on my FreeNAS box. This type of setup is supported by OpenSSL and nginx, but the FreeNAS interface adds an additional length check on the key being used.

Specifically, the FreeNAS interface won't start the HTTPS server when the keys in use are shorter than 1024 bit. While this is a good security measure for RSA keys, it makes the use of ECDSA keys impossible. A 256 bit ECDSA key is about as strong as a 3072 bit RSA key.

Please apply the length check only to RSA keys.


Related issues

Related to FreeNAS - Bug #62883: Disallow keys of length less then 1024Closed
Related to FreeNAS - Bug #62574: Accurately display certificate validity periodDone
Related to FreeNAS - Feature #36403: Add Let's Encrypt Support for CertsReady for Testing
Related to FreeNAS - Bug #27665: Add ability to accept ECC keys for NginxDone
Copied to FreeNAS - Feature #73783: Add support for ECDSA private keys and parsing certificate attributes in new UIReady for Testing

Associated revisions

Revision bcea9eda (diff)
Added by Waqar Ahmed over 1 year ago

Parse certificate attributes This commit introduces the basic changes to parsing certificates and getting their attributes instead of using db. Ticket: #62655

Revision 09f81940 (diff)
Added by Waqar Ahmed over 1 year ago

Parse certificate attributes This commit introduces the basic changes to parsing certificates and getting their attributes instead of using db. Ticket: #62655

Revision 9a35cf90 (diff)
Added by Waqar Ahmed over 1 year ago

tkt-62655: Parse certificate attributes (#2265) Parse certificate attributes This commit introduces the following changes: 1) Parse certificate attributes instead of relying on db values 2) Allow ecdsa private keys in nginx and certificate subsystem 3) Make sure rsa private keys of size less then 1024 are not allowed in the system 4) Remove legacy alerts in certificate subsystem and use new alert infrastructure instead Ticket: #62655

History

#1 Updated by J P over 1 year ago

FreeNAS does not support certificates with keys shorter than 1024 bits. HTTPS will not be enabled until a certificate having at least 1024 bit keylength is provided

This is the error message that appears in the alert section.

#2 Updated by J P over 1 year ago

I was able to fix the problem temporarily for me by changing the line:
if [ ${validcert} -eq 0 -a ${safecert} -ge 1024 ]; then
to
if [ TRUE ]; then
in /etc/ix.rc.d/ix-nginx and disabling the validity and safecert checks with it.

I would suggest using 'pkey' instead of 'rsa' for the OpenSSL commands in the lines above the if branch. The 'pkey' parameter was introduced with OpenSSL 1.0.0 in 2010 and works for both RSA and ECDSA based keys.

Additionally, there should be a check if the key type is RSA and only then parse the safecert variable, otherwise ignore it.

#3 Updated by Dru Lavigne over 1 year ago

  • Category changed from GUI (new) to Middleware
  • Assignee changed from Release Council to William Grzybowski

#4 Updated by William Grzybowski over 1 year ago

  • Assignee changed from William Grzybowski to Waqar Ahmed
  • Target version changed from Backlog to 11.3

#5 Updated by Waqar Ahmed over 1 year ago

  • Status changed from Unscreened to Screened

#6 Updated by Waqar Ahmed over 1 year ago

  • Related to Bug #62883: Disallow keys of length less then 1024 added

#7 Updated by Waqar Ahmed over 1 year ago

  • Status changed from Screened to In Progress
  • Severity changed from New to Medium

#8 Updated by Waqar Ahmed over 1 year ago

  • Subject changed from FreeNAS won't start HTTPS webserver when ECDSA keys are used to Parse Certificate Attributes
  • Severity changed from Medium to High

This ticket introduces following changes:
1) Parse certificate attributes instead of relying on db values
2) Allow ecdsa private keys in nginx and certificate subsystem
3) Make sure rsa private keys of size less then 1024 are not allowed in the system

Acceptance Criteria for this ticket is:
1) Create certificate of all types ( CA/certificates both including importing of these types )
2) Test ACME certificate creation ( the first point covers this but just adding it separately )
3) Import a certificate with an EC key and set nginx to use that - it should work
4) Try importing a RSA based key of size less then 1024, this should fail

#9 Updated by Waqar Ahmed over 1 year ago

  • Tracker changed from Bug to Feature
  • Seen in deleted (11.2-RELEASE)
  • ChangeLog Required deleted (No)

#10 Updated by Dru Lavigne over 1 year ago

  • Related to Bug #62574: Accurately display certificate validity period added

#11 Updated by Bug Clerk over 1 year ago

  • Status changed from In Progress to Ready for Testing

#13 Updated by Dru Lavigne over 1 year ago

  • Target version changed from 11.3 to 11.3-BETA1

#14 Updated by Dru Lavigne over 1 year ago

  • Related to Feature #36403: Add Let's Encrypt Support for Certs added

#15 Updated by Dru Lavigne over 1 year ago

  • Subject changed from Parse Certificate Attributes to Add support for ECDSA private keys and parsing certificate attributes
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#16 Updated by Erin Clark over 1 year ago

  • Copied to Feature #73783: Add support for ECDSA private keys and parsing certificate attributes in new UI added

#17 Updated by Waqar Ahmed over 1 year ago

  • Related to Bug #27665: Add ability to accept ECC keys for Nginx added

Also available in: Atom PDF