Intentionally use weak server key
Hi list!
For some reason I need to use a really weak server key (256 bit) with dovecot for imaps access. Is this possible?
I tried but getting this error:
dovecot: imap-login: Error: SSL: Stacked error: error:04075070:rsa routines:RSA_sign:digest too big for rsa key
This is on an Ubuntu 14.04 on x64.
Thank you!
Stavros
You have to create your own ca, and then create the certificate. I doubt if you will be able to find companies like DigiCert or Comodo to do this.
If you want, I can try sign it with our own 'internal' CA. The only thing you have to do is of course adding our CA to your ca bundle but that is very easy in CentOS7
-----Original Message----- From: Stavros Tsolakos [mailto:stsolakos@gmail.com] Sent: 20 December 2018 11:33 To: Dovecot Mailing List Subject: Re: Intentionally use weak server key
If you can convince openssl to use it.
Does anybody have any hints on how it may be done, if possible at all?
Stavros
On 2nd thought, better is just to fix your problem, going in this direction does not make sense.
-----Original Message----- From: Marc Roos Sent: 20 December 2018 11:38 To: dovecot; stsolakos Subject: RE: Intentionally use weak server key
You have to create your own ca, and then create the certificate. I doubt if you will be able to find companies like DigiCert or Comodo to do this.
If you want, I can try sign it with our own 'internal' CA. The only thing you have to do is of course adding our CA to your ca bundle but that is very easy in CentOS7
-----Original Message----- From: Stavros Tsolakos [mailto:stsolakos@gmail.com] Sent: 20 December 2018 11:33 To: Dovecot Mailing List Subject: Re: Intentionally use weak server key
If you can convince openssl to use it.
Does anybody have any hints on how it may be done, if possible at all?
Stavros
On 20/12/2018 12:37, Marc Roos wrote:
You have to create your own ca, and then create the certificate. I doubt if you will be able to find companies like DigiCert or Comodo to do this.
If you want, I can try sign it with our own 'internal' CA. The only thing you have to do is of course adding our CA to your ca bundle but that is very easy in CentOS7
Thank you, Marc.
We created our own CA and certificates just fine. The problem is that SSL does not seem to like them giving the error I mentioned in the previous message:
dovecot: imap-login: Error: SSL: Stacked error: error:04075070:rsa routines:RSA_sign:digest too big for rsa key
What would an SSL+Dovecot expert do if this error was encountered? A 1024 bit key works just fine but we have to stick to 256.
The problem is on creation of the key... Look at this topic https://stackoverflow.com/a/15092703/8647326
On 12/20/2018 01:02 PM, Aki Tuomi wrote:
On 20 December 2018 at 12:50 Stavros Tsolakos < stsolakos@gmail.com <mailto:stsolakos@gmail.com>> wrote:
On 20/12/2018 12:37, Marc Roos wrote:
You have to create your own ca, and then create the certificate. I doubt if you will be able to find companies like DigiCert or Comodo to do this.
If you want, I can try sign it with our own 'internal' CA. The only thing you have to do is of course adding our CA to your ca bundle but that is very easy in CentOS7
Thank you, Marc.
We created our own CA and certificates just fine. The problem is that SSL does not seem to like them giving the error I mentioned in the previous message:
dovecot: imap-login: Error: SSL: Stacked error: error:04075070:rsa routines:RSA_sign:digest too big for rsa key
What would an SSL+Dovecot expert do if this error was encountered? A 1024 bit key works just fine but we have to stick to 256. You need to use a weak TLS algorithm. 256 bit rsa key can contain less than 32 bytes of data so you need to use sha1 based tls algorithm.
Aki Tuomi
participants (4)
-
Aki Tuomi
-
Marc Roos
-
nanashi
-
Stavros Tsolakos