Security threat with SSL certificates created with MD5 hash
search cancel

Security threat with SSL certificates created with MD5 hash

book

Article ID: 340989

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction


Symptoms:
If you use SSL certificates generated using MD5 hash on an ESX host, a security scan may report a medium threat because of X.509 Certificate Signature Collision Vulnerability (CVE-2004-2761).
For more information about this threat, see http://www.microsoft.com/technet/security/advisory/961509.mspx.
Note: The preceding link was correct as of June 10, 2009. If you find that the link is broken, please provide feedback and a VMware employee will update the link.


Environment

VMware ESX 4.0.x
VMware ESX Server 3.0.x
VMware ESX Server 2.5.x
VMware ESX Server 3.5.x

Resolution

Note: Following industry best practices, VMware recommends that you regenerate the SSL Certificates and keys on ESX host according to your company's security policy. In the case of custom certificates, replace these certificates according to your company's security policy.
To resolve this issue, replace SSL certificates generated using MD5 with certificates generated using SHA1 hash.
Replacing self-signed certificates
  1. Log in to the ESX host as root using an SSH client.
  2. Rename the existing public and private keys in /etc/vmware/ssl/ so you have a backup.
  3. Open the script /etc/rc.d/init.d/mgmt-vmware using a text editor.
  4. Locate the the line:

    /usr/bin/openssl req -new -x509 -keyout "$sslDir"'/rui.key' \
  5. Change the line to:

    /usr/bin/openssl req -new -x509 -sha1 -keyout "$sslDir"'/rui.key' \
  6. Save your changes and exit.
  7. Reboot the ESX host. The certificates are regenerated using SHA1 hash.

Replacing SSL certificated purchased from a Certificate Authority

To replace SSL certificates purchased from a Certificate Authority, contact your SSL certificate vendor and request replacements that are generated using SHA1 hash.

When you have replaced the certificate, reboot the ESX host.

Replacing self-generated (non-self signing) SSL certificates

To replace self-generated SSL certificates, contact your SSL certificate provider and request request replacements that are generated using SHA1 hash.
When you have replaced the certificate, reboot the ESX host.


Additional Information



Powered by Wolken Software