Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-81724

FUTURE crypto policy doesn't force generating 3072 bits RSA keys as a minimum

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • crypto-policies
    • None
    • No
    • Important
    • rhel-security-crypto
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When using the FUTURE policy, @SECLEVEL=3 enforces using 3072+ bits RSA keys, but it appears the OpenSSL configuration file /etc/pki/tls/openssl.cnf doesn't enforce this, causing openssl req or openssl genrsa commands to generate 2048 bits RSA keys by default:

      [ req ]
default_bits            = 2048

      This is an important issue for OpenSSL clients generating keys, such as cockpit-ws or tog-pegasus.

      What is the impact of this issue to you?

      Self-signed certificates being generated are not usable

      Please provide the package NVR for which the bug is seen:

      crypto-policies-20240828-2.git626aa59.el9_5.noarch

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Switch to FUTURE policy
      2. Generate a RSA key

      Expected results

      3072 bits RSA key

      Actual results

      2048 bits RSA key

              asosedki@redhat.com Alexander Sosedkin
              rhn-support-rmetrich Renaud Métrich
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: