[Bug 1455990] Re: quassel-core generates an insecure certificate upon installation

Mon May 18 00:18:58 UTC 2015

The attachment "certificate.debdiff" seems to be a debdiff.  The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff.  If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1455990

Title:
  quassel-core generates an insecure certificate upon installation

Status in quassel package in Ubuntu:
  New

Bug description:
  After installation, quassel-core generates a 1024-bit certificate
  using the SHA1 hash.  Both of these are considered deprecated and
  somewhat insecure.  The attached patch updates the postinst script to
  generate a 4096-bit certificate using the SHA256 hash instead.

  The SHA256 certificate will not cause any compatibility problems
  because OpenSSL 1.0.0 and later support SHA256 certificates.  All
  supported versions of Ubuntu and Debian have at least 1.0.1 and the
  supported Windows and Mac builds of Quassel are additionally compiled
  with a recent enough version to support the SHA256 certificate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1455990/+subscriptions