Koozali.org: home of the SME Server

[UPDATED] PHPKi self signed certificate manager

Offline ReetP

  • *
  • 3,722
  • +5/-0
[UPDATED] PHPKi self signed certificate manager
« on: March 06, 2020, 03:15:53 PM »
Hello all,

Terry and I have been working on updating PHPki for creating your own certificates.

Why is this important?

Because if we want to get off PPTP for more secure VPNs we really need to be able to create certificates with current day encryption strength.

e.g I use Libreswan for ipsec and they have become increasingly demanding on their requirements, which is no bad thing.

As Paul Wouters at Libreswan commented regarding some discussions with me on protocols in common use on phones and servers:

"we are pretty sure nationstates can successfully attack DH2
Your VPNs are insecure against the most powerful attackers, and any future bugs and features you will miss. If you cannot update a configuration in 20 years, then you are simply not offering security services. Sorry. You can tell your client the author of RFC 8247 and RFC 8221 said so. "

and

"Google is a TLS organization. their business model is "host all your data with us, behind TLS, and you won't need a VPN".

Hence Android being pretty piss poor on encryption levels for VPNs

Anyways, having looked at PHPKi we can up the levels from sha1 to sha512 which is a big leap. But we really need to re-generate the CA certificate as well to benefit from it.

So I was looking at upgrading originally, but I am now leaning towards it being case of backup old certs and start afresh.

It will be a pain as you need to replace all your certs everywhere (I have a couple of dozen fro libreswan and openvpn) but better in the long term.

(I am no crypto guru here - just learned a bit as I played)

Anyone got any comments or thoughts on this?
« Last Edit: March 22, 2020, 12:32:33 PM by ReetP »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: PHPKi self signed certificate manager
« Reply #1 on: March 22, 2020, 12:31:56 PM »
To follow up on this we are going to push an update to the old existing version 0.82 later today

We are then going to import a new version 0.84-1

This is basically the radicand fork of 0.83 https://github.com/radicand/phpki with some fixes and added SME goodness

It has much stronger encryption and fixes a lot of bugs.

However, there is one big issue.

If you have not used phpki before then just install the new version and create certificates.

If you are using 0.82 it is not possible to upgrade the existing certificates - we did look at this but it is a non starter. (Upgrading will backup your old certificates)

That means you need to create new CA and user certificates.

We STRONGLY recommend that you do this for your own benefit. The old certificates have weak encryption by todays standards and you really should upgrade.

We have set the encryption for DH keys for Openvpn to 2048. The CA is 4096 bit, the default md is now sha512 and the minimum for standard certificates is 1024 but can be increased (and we recommend) to 4096 bit (a bug meant you could not select 4096 before!)

(NB - it all sounds impressive - I am no guru on it but know it is a damn sight more secure!!!!!!)

This is a pain - I have loads to upgrade myself!!!!!!

But, for your own security, and your company and client, it is well worth doing.

This version will appear in smedev shortly. Please use it and report any bugs or come and talk to us about it on RocketChat

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: PHPKi self signed certificate manager
« Reply #2 on: March 22, 2020, 12:43:26 PM »
That means you need to create new CA and user certificates.
Not clear to me. Does this mean you must create a new CA to benefit from the new crypto settings (which is expected), or does this mean this will break existing setup, which will not be able to sign new cert until a new CA is created ?

Regards,
Daniel
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: [UPDATED] PHPKi self signed certificate manager
« Reply #3 on: March 22, 2020, 03:04:47 PM »
Basically it means a complete fresh start. Installing will move the old store out the way so to you could revert if required.

I can't see a way to do a 'Are you sure you want to continue or exit the RPM' option either.

We looked but could not see any way to increases the security level of existing certificates.

I am no guru on this - I have just done the best I can. All I know is the old version has a lot of bugs (some fixed in the update to 0.82-20) and is not very strong by todays standards.

This was an attempt to address that.

All the code is in github and I have test rpms on my server if you want to look.

I migrated over all the SME code (hopefuilly)

The new certificates all seem to work - I have been testing already.

Openvpn-routed needs the default cipher updating from BF-CBC to AES-256-CBC as well - the contribs is in smedev and I will update the defaults in due course.

If you want to help then please do.....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: [UPDATED] PHPKi self signed certificate manager
« Reply #4 on: March 22, 2020, 06:50:41 PM »
If it's such a breaking change, it should not be pushed as is in the repo. It should have another name, and should conflits with the existing phpki package, so that it's installation is controlled. Building a new pki is a big job which needs to be planned, and can take several months. It shouldn't be a simple yum update away. Especially right now, we have most of our clients relying on the vpn, and we can't deploy new certs on hundreds of mobile users due to confinement
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: [UPDATED] PHPKi self signed certificate manager
« Reply #5 on: March 22, 2020, 07:25:07 PM »
It is a shame that none of this was mentioned when I first started talking about it months back. I might have chose a different path.

Hey ho.

By all means I can leave it out, or use a different name. I can run my own build anyway.

Unfortunately I have to update myself because the certs and ciphers are seriously out of date and becoming deprecated (I started this due to issues with ipsec which made me realise the certs we all use are really a busted flush and should be dumped PDQ)

I also realised there were several issues with the 0.82 install - I have fixed the most glaring ones in 0.82-20 and I suggest you have a good look at it before it is released.

It should not touch any existing certificates. It allows you to generate 4096 bit certificates (you can currently only use 3072 or some odd number I think), shows the correct dates in the columns, gives personal names to certs and a few other bits.

I'd be grateful of some feedback PDQ.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline gieres

  • *
  • 213
  • +0/-0
Re: [UPDATED] PHPKi self signed certificate manager
« Reply #6 on: March 22, 2020, 07:47:11 PM »
Hi,
Please, can you developpe « PDQ » ?
Thanks.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: [UPDATED] PHPKi self signed certificate manager
« Reply #7 on: March 22, 2020, 07:59:53 PM »
Pretty Damn Quick....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation