CVE-2004-2761: SSL Certificate Signed Using Weak cipher

book

Article ID: 142066

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

According to CVE-2004-2761 the algorithm Performance Management and Data Aggregator Self Signed SSL Certificates generated via the automated HTTPS SSL SslConfig tool use a weak algorithm.

Cause

Weak SHA-1 algorithm used in Self Signed Certificates created through the SslConfig tool for automated HTTPS SSL configuration.

Environment

All supported Performance Management releases

Resolution

This will be resolved fully via defect DE442855. The fix from that defect will update the automated HTTPS SSL configuration tools to use the stronger SHA-2 algorithm. The release that fix will be included in is yet to be determined.

To resolve this without waiting for the new automated tools, the following steps can be taken.

  1. For Performance Management, replace the existing Self Signed Certificate, with one created while specifying the use of the SHA256 algorithm. Start by using the SslConfig tool to reset to HTTP. Then generate the new certs and manually configure SSL. When creating the self signed certificate with the keytool command for PC use the "-sigalg" argument and value.The default PC command is:
      • keytool -genkeypair -ext SAN=dns:fully_qualified_hostname -keystore keystore_file.ks -storepass password -keyalg RSA -keysize 2048 -keypass password -alias alias_name
    • Instead use the following where we specify the use of SHA256 with the '-sigalg' flag and argument.
      • keytool -genkeypair -ext SAN=dns:fully_qualified_hostname -keystore keystore_file.ks -storepass password -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass password -alias alias_name
  2. For the Data Aggregator:
    1. Start by reverting the configuration back to HTTP using the sslConfig.sh script.
    2. Before reconfiguring HTTPS SSL edit the (default path) /opt/IMDataAggregator/scripts/sslConfig.sh script file. Find the following line:
      • openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
    3. Change it to the following, adding the "-sha256" argument at the end. 
      • openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -sha256
    4. Reconfigure HTTPS SSL using the sslConfig.sh script.

Another option would be to replace the existing Certificates with Certificate Authority (CA) signed SSL certificates that include a root and intermediate certificate for improved security.

Additional Information

Configure the Data Aggregator to User HTTPS

Set Up HTTPS (for Performance Management)

Alternative to PC option above.

  1. Using the documented steps, use the SslConfig tool to reset to HTTP configuration.
  2. Generate the private key Certificate file to pass to the SslConfig tool, along with the signed cert by doing:
    • /opt/CA/jre/bin/keytool -genkeypair -ext SAN=dns:fqhn -keystore keystore_file.ks -storepass password -keyalg RSA -keysize 2048 -keypass password -alias alias -sigalg SHA256withRSA
  3. Convert keystore to PKCS12 format:
    • /opt/CA/jre/bin/keytool -importkeystore -srckeystore keystore_file.ks -srcstorepass password -destkeystore keystore_file.p12 -deststoretype PKCS12 -deststorepass password
  4. Export the private key:
    • openssl pkcs12 -in keystore_file.p12 -nodes -nocerts -out private_key.pem
  5. Use the private_key.pem and the signed CA Certificate to run the SslConfig tool and reconfigure SSL from scratch.