[Bug 1455990] Re: quassel-core generates an insecure certificate upon installation
Felix Geyer
debfx-pkg at fobos.de
Mon May 18 20:03:13 UTC 2015
As it's self signed certificate the signature hash algorithm doesn't matter much.
4096 bit seems a bit excessive, no?
Slightly offtopic:
Quassel stores the md5sum of certs the user has accepted. That's probably a bad idea.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1455990
Title:
quassel-core generates an insecure certificate upon installation
Status in quassel package in Ubuntu:
New
Bug description:
After installation, quassel-core generates a 1024-bit certificate
using the SHA1 hash. Both of these are considered deprecated and
somewhat insecure. The attached patch updates the postinst script to
generate a 4096-bit certificate using the SHA256 hash instead.
The SHA256 certificate will not cause any compatibility problems
because OpenSSL 1.0.0 and later support SHA256 certificates. All
supported versions of Ubuntu and Debian have at least 1.0.1 and the
supported Windows and Mac builds of Quassel are additionally compiled
with a recent enough version to support the SHA256 certificate.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1455990/+subscriptions
More information about the Ubuntu-sponsors
mailing list