[debian-edu-commits] debian-edu/ 01/01: Improve ldap server SSL/TLS connection security.

[Wolfgang Schweer]

This is an automated email from the git hooks/post-receive script.

schweer-guest pushed a commit to branch master
in repository debian-edu-config.

commit b73cf251137c9b3191465c0a7c6f2971868fb89b
Author: Wolfgang Schweer <wschweer at arcor.de>
Date:   Thu Nov 23 18:34:40 2017 +0100

    Improve ldap server SSL/TLS connection security.
    
     - etc/ldap/ssl/slapd-cert.cnf: generate 2048 instead of 1024 bit key.
     - ldap-tools/mkslapdcert: use sha256 instead of sha1 algorithm.
---
 debian/changelog            | 3 +++
 etc/ldap/ssl/slapd-cert.cnf | 2 +-
 ldap-tools/mkslapdcert      | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 601596b..32f55ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,9 @@ debian-edu-config (1.938) UNRELEASED; urgency=medium
     - remove share/debian-edu-config/tools/debian-edu-dovecot-create-cert,
     - remove script call from cf/cf.imap,
     - reflect changes in Makefile and d/debian-edu-config.postinst.
+  * Improve ldap server SSL/TLS connection security.
+    - etc/ldap/ssl/slapd-cert.cnf: generate 2048 instead of 1024 bit key.
+    - ldap-tools/mkslapdcert: use sha256 instead of sha1 algorithm.
 
  -- Wolfgang Schweer <wschweer at arcor.de>  Wed, 22 Nov 2017 16:06:59 +0100
 
diff --git a/etc/ldap/ssl/slapd-cert.cnf b/etc/ldap/ssl/slapd-cert.cnf
index 7ef8072..68f1969 100644
--- a/etc/ldap/ssl/slapd-cert.cnf
+++ b/etc/ldap/ssl/slapd-cert.cnf
@@ -1,7 +1,7 @@
 RANDOM=/dev/random
 
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = yes
 distinguished_name = req_dn
 x509_extensions = v3_req
diff --git a/ldap-tools/mkslapdcert b/ldap-tools/mkslapdcert
index 4bcadf1..4958ba2 100755
--- a/ldap-tools/mkslapdcert
+++ b/ldap-tools/mkslapdcert
@@ -46,7 +46,7 @@ fi
 TMPFILE=`mktemp`
 
 # lifetime 10 years
-$opensslbin req -new -x509 -nodes -sha1 \
+$opensslbin req -new -x509 -nodes -sha256 \
       -config $certconf -days 3650 \
       -out $privkey -keyout $privkey >> $TMPFILE 2>&1 \
   || echo "error: problems running openssl." 1>&2

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git