Harden default PKI setup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Dirk Mueller | ||
python-keystoneclient |
Fix Released
|
Medium
|
Dirk Mueller |
Bug Description
keystone-manage pki_setup is a handy tool to quickly setup a default SSL public/private key pair for an initial test setup of OpenStack Keystone. Unfortunately it hardcodes defaults that are meanwhile considered less secure.
I understand that this is an example setup, but given that users are likely going to (re-) use the configuration defaults for their production setup, I think we should advertise good defaults instead of weak ones.
According to http://
The following keylengths are deprecated:
Hashing: 160-bit SHA-1 (note: MD4/MD5 was never an “acceptable algorithm” to the government, and should already be deprecated)
Signatures: 1024-bit DSA, 1024-bit RSA, 160-bit ECDSA
Encryption: 80/112-bit 2TDEA (two key triple DES)
When are they deprecated?
Hashing: for all hashes generated after 12/31/2010
Signatures: for all signatures generated after 12/31/2010
Encryption: for any information that needs to remain confidential after 12/31/2010
Changed in keystone: | |
assignee: | nobody → Dirk Mueller (dmllr) |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in python-keystoneclient: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → havana-2 |
status: | Fix Committed → Fix Released |
Changed in python-keystoneclient: | |
milestone: | none → 0.3.2 |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | havana-2 → 2013.2 |
This might need a CVE, whom should I query for details? dmllr?