[gt-user] two apparent defects in GT 4.2 SimpleCA SSL configuration

Tue, 22 Jul 2008 13:55:27 -0700 

While looking through the GT 4.2.0 code in search of information on
X.509 certificate extensions needed for use with Globus, I noticed two
apparent defects in the SSL configuration file templates for SimpleCA.

1) By default, SimpleCA is configured to use the MD5 message digest
algorithm during key creation:


~/gt4.2.0-all-source-installer >  find . -name "*ssl.conf*" -exec grep -l 
default_md '{}' \;
./source-trees/gsi/simple_ca/setup/template/globus-ssl.conf.tmpl
./source-trees/gsi/simple_ca/setup/template/grid-ca-ssl.conf.tmpl
./source-trees-thr/gsi/simple_ca/setup/template/globus-ssl.conf.tmpl
./source-trees-thr/gsi/simple_ca/setup/template/grid-ca-ssl.conf.tmpl
~/gt4.2.0-all-source-installer > find . -name "*ssl.conf*" -exec grep 
default_md '{}' \;
default_md      = md5                   # which md to use.
default_md      = md5                   # which md to use.
default_md      = md5                   # which md to use.
default_md      = md5                   # which md to use.


Due to known weaknesses in MD5, it would be advisable to instead use
SHA1 as the default message digest algorithm for SimpleCA.  For example:


default_md      = sha1                  # which md to use.


2) The SSL configuration file templates for SimpleCA also use the
deprecated nsCertType extension.


~/gt4.2.0-all-source-installer > find . -name "*ssl.conf*" -exec grep -l 
nsCertType '{}' \;
./source-trees/gsi/simple_ca/setup/template/globus-ssl.conf.tmpl
./source-trees/gsi/simple_ca/setup/template/grid-ca-ssl.conf.tmpl
./source-trees-thr/gsi/simple_ca/setup/template/globus-ssl.conf.tmpl
./source-trees-thr/gsi/simple_ca/setup/template/grid-ca-ssl.conf.tmpl
~/gt4.2.0-all-source-installer > find . -name "*ssl.conf*" -exec grep 
nsCertType '{}' \;
nsCertType                      = objsign,email,server,client
nsCertType                      = sslCA,emailCA,objCA
nsCertType                      = sslCA,emailCA,objCA
nsCertType                      = objsign,email,server,client
nsCertType                      = objsign,email,server,client
nsCertType                      = sslCA,emailCA,objCA
nsCertType                      = sslCA,emailCA,objCA
nsCertType                      = objsign,email,server,client


To replace the deprecated nsCertType extension, it would be advisable
for the SimpleCA configuration files instead to specify equivalent
keyUsage and extendedKeyUsage extensions.  For example:


[ v3_req ]
basicConstraints = critical,CA:false
keyUsage         = 
keyAgreement,dataEncipherment,keyEncipherment,digitalSignature
extendedKeyUsage = 
serverAuth,clientAuth,codeSigning,emailProtection,timeStamping


Do others agree these configuration defaults should be changed?  If so,
I think GT versions 4.0 and 4.2 are both affected.  Should I (or
someone) create tickets in Bugzilla for this?

The following documents contain additional information relevant to this
topic:

http://www.ogf.org/documents/GFD.125.pdf
http://www.eurogrid.org/ca/eurogrid-ca-policy.pdf

The EUROGRID document describes steps taken in November 2002 to
discontinue usage of the "nsCertType" extension, and the OGF document
specifies a policy that hash algorithms with known weaknesses, such as
MD5, must not be used in new certificates.

Best regards,
Joel

--
Joel Schneider                     National Marrow Donor Program
Software Developer (Contractor)    3001 Broadway Street NE
                                   Minneapolis, MN 55413
                                   http://www.marrow.org/

Reply via email to