PDA

View Full Version : [ubuntu] Regenerating snakeoil SSL certificate



davidkahn
May 22nd, 2008, 09:30 PM
Either concurent with, or shortly after, upgrading to Hardy, the security system indicated that my ssh keys were generated by a version ssh-keygen that had a broken random number generator and that I had to regenerate them. I did that and ssh is now fine.

However, when my Evolution e-mail client connects to the internal Dovcot POP3 (SSL) server running on top of Postfix, it gives the message below (in italics). This is probably because the snakeoil certificate /etc/ssl/certs/ssl-cert-snakeoil.pem was generated with the same broken random number generator is is therefore blacklisted. This raises two questions:


How does one regenerate the snakeoil default ssl certificate?
Are there any consequences of regenerating it that will have to be handled?

The easiest path would be to allow Evolution to accept the certificate. But who wants a default SSL certificate that doesn't provide security?

My version of Ubuntu is:

Linux CERTIBY1 2.6.24-16-generic #1 SMP Thu Apr 10 12:47:45 UTC 2008 x86_64 GNU/Linux
Thanks for any help.
David

SSL Certificate check for certiby1:

Issuer: E=root@CERTIBY1.LAHILLS.CERTIBY.COM,CN=CERTIBY1.LA HILLS.CERTIBY.COM,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
Subject: E=root@CERTIBY1.LAHILLS.CERTIBY.COM,CN=CERTIBY1.LA HILLS.CERTIBY.COM,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
Fingerprint: a3:e2:b7:8b:c6:cb:9e:86:3e:5e:c2:0b:85:bf:4d:44
Signature: BAD

davidkahn
May 23rd, 2008, 12:41 AM
I have been digging into this more -- going through the security notices.

http://www.ubuntu.com/usn/usn-612-8
http://www.ubuntu.com/taxonomy/term/1+2/0
and learned that you can test for blacklisted certificates using openssl-vulnkey. It validated that my snakeoil certificates are not blacklisted (see below). Now I don't know what the problem is. Does anyone have ideas?

Thanks.

David


david@CERTIBY1:~$ openssl-vulnkey /etc/ssl/certs/ssl-cert-snakeoil.pem
Not blacklisted: 0ff365d9ac59f2ac2a7bfdb7bd3c6e71b97014f1 /etc/ssl/certs/ssl-cert-snakeoil.pem
david@CERTIBY1:~$ sudo openssl-vulnkey /etc/ssl/private/ssl-cert-snakeoil.key
Not blacklisted: 0ff365d9ac59f2ac2a7bfdb7bd3c6e71b97014f1 /etc/ssl/private/ssl-cert-snakeoil.key

stiv2k
May 25th, 2008, 06:09 AM
If you ever find out how to do this, drop me a pm... I am also trying to figure it out.

davidkahn
May 25th, 2008, 06:40 PM
I suggest that you just subscribe to this thread so that you automatically get informed when I, or someone else, solves it.

mihallica
June 8th, 2008, 11:33 AM
Since during installation process my system's time was incorrect (year 2002) where was errors like "your sertificate is expired" after. So I needed to regenerate them
I managed to regenerate default snakeoil certificate with folowing command:
sudo make-ssl-cert generate-default-snakeoil --force-overwrite
and errors gone

Hope that will help

davidkahn
June 8th, 2008, 10:16 PM
That worked perfectly. Thanks!