[Pkg-openssl-devel] Bug#912604: libssl1.1: libssl version 1.1.1 breaks burp backup buster clients with stretch server
Antoine Sirinelli
antoine at monte-stello.com
Thu Nov 1 22:16:33 GMT 2018
On Thu, Nov 01, 2018 at 09:52:12PM +0100, Sebastian Andrzej Siewior wrote:
> |$ openssl x509 -in 912604.cert -text | grep Signature
> | Signature Algorithm: sha1WithRSAEncryption
> | Signature Algorithm: sha1WithRSAEncryption
>
> The point is that your server certificate is signed with SHA1 while
> the minimum is SHA256. Please note that all publicly issued certificates
> are signed with SHA256 these days.
Thank you for your feedback. You are right. I do not know why I was
checking the CA certificate only and not the server one. The CA one is
signed with SHA256 while the server one is signed with SHA1.
> I would suggest a *note* in burp to notify users of burp which created
> self-signed certificates with pre-Buster machines that they might need
> to recreate their certificate if it is sigend with SHA1. Thus
> resssigning to burp.
On Thu, Nov 01, 2018 at 10:17:18PM +0100, Kurt Roeckx wrote:
> As far as I know, the default in stretch should also use sha256,
> most likely those certificates are older.
The certificate was issued in 2016. It was therefore likely generated
with Jessie.
I have regenerated the server certificate and everything is working now.
Nevertheless, I believe this should be documented somewhere in the
Debian burp package that certificates generated under Jessie are likely
to be rejected under Buster.
Antoine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20181101/0ba5c7e2/attachment.sig>
More information about the Pkg-openssl-devel
mailing list