Bug 13527 - apache not start after update to core183
Summary: apache not start after update to core183
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: Will affect an average number of users Crash
Assignee: Arne.F
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-13 08:33 UTC by Arne.F
Modified: 2024-02-14 12:17 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arne.F 2024-01-13 08:33:39 UTC 
On some updated machines there is an ssl error in log that ee key is to small.

AH02562: Failed to configure certificate xxxxxxxxxx:444
:0 (with chain), check /etc/httpd/server.crt
[Fri Jan 12 23:52:40.051963 2024] [ssl:emerg] [pid 3076:tid 136836598444224] SSL Library Error: error:0A00018F:SSL routines::ee key too small
AH00016: Configuration Failed

after regeneration of the hostkeys it works. But the updater has to check this and maybee regenerate the key.
Comment 1 Michael Tremer 2024-01-13 14:30:21 UTC 
Is it possible that your machine was using a very ancient RSA key or something like that? Has that machine been updated for a very long time?
Comment 2 Adolf Belka 2024-01-17 21:41:48 UTC 
I did some testing with my vm testbed and creating apache rsa certificates of different sizes.

2048 and 4096 bit certificates are fine with the update to CU183.

If you have a 1024 bit rsa certificate then it works fine with CU182 with the OpenSSL-3.1.4 but fails to start after upgrade to CU183 with OpenSSL-3.2.0

After some searching I have found the following statement in the 3.2.0 changelog

   The default SSL/TLS security level has been changed from 1 to 2. RSA,
   DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
   of 160 bits and above and less than 224 bits were previously accepted by
   default but are now no longer allowed. By default TLS compression was
   already disabled in previous OpenSSL versions. At security level 2 it cannot
   be enabled. 

So with OpenSSL-3.2.0 the default security level means certificates need to be a minimum of 2048 bits.
Comment 3 Arne.F 2024-01-18 17:09:36 UTC 
I can confirm this. Old systems installed before core115 has a 1024 bit hostkey
Comment 4 Adolf Belka 2024-01-19 11:53:58 UTC 
I ran a test on my vm testbed with a CU182 system with a 1024 bit rsa certificate and ran the update to CU183.

Everything went well. Apache restarted and checking the rsa cert it was 4096 bit after upgrade.

So I can confirm that the fix commits are working.
Comment 5 Michael Tremer 2024-01-19 16:56:14 UTC 
I will just link this here, because some parts of the conversation have been happening on the list:

> https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/ESM2DVKTMQ3MS4TINHRMJMF4VUQFMYUR/
Comment 7 Adolf Belka 2024-01-24 08:29:16 UTC 
Set up a CU182 vm system with 1024 bit server.crt and then ran the Testing CU183 upgrade.

Confirm that everything worked as expected with result being a 4096 bit server.crt

No impact on the browser as it was using the ECDSA cert anyway.
Comment 8 Adolf Belka 2024-02-14 12:17:45 UTC 
Core Update 183 with the fix has been released now.

https://www.ipfire.org/blog/ipfire-2-29-core-update-183-released