Bug 199379

Summary:

[PATCH] Update SSL key generation to today's standards.

Product:

Documentation

Reporter:

roland

Component:

Books & Articles

Assignee:

Allan Jude <allanjude>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

allanjude

Priority:

---

Keywords:

patch

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Patch for openssl chapter in handbook.	none

Description roland 2015-04-11 14:50:29 UTC

Created attachment 155478 [details]
Patch for openssl chapter in handbook.

The current SSL key generation chapter contains a few inaccuracies and 
the generated keys are not up to date with today's standards.

This patch shows how to generate secure keys and includes a good place for more information, namely the openssl cookbook.

Mainly: 

- Use RSA for key generation, instead of DSA. 
- Fix documentation that lied about generation an RSA key while it actually was DSA. 
- Use SHA256 for signatures instead of older SHA1: http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
- Use recommended 2048 bits instead of 1024.

Comment 1 Allan Jude freebsd_committer

2015-06-16 01:34:12 UTC

Pending review: https://reviews.freebsd.org/D2836

Comment 2 commit-hook freebsd_committer

2015-06-20 18:04:12 UTC

A commit references this bug:

Author: allanjude
Date: Sat Jun 20 18:03:42 UTC 2015
New revision: 46849
URL: https://svnweb.freebsd.org/changeset/doc/46849

Log:
  Update openssl chapter based on modern certificate requirements

  All Certificate Authorities now require 2048 bit keys with SHA256 hashes
  This change brings our documentation inline with that requirement

  PR:		199379
  Submitted by:	Roland van Laar <roland@micite.net> (original)
  Approved by:	wblock (mentor)
  Differential Revision:	https://reviews.freebsd.org/D2836

Changes:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml