TLS fails on linux self-signed certs
on firefox 38.1.0 running on centOS 6.6 I'm having issue with TLS.
when this first happened I re did the cert using 2048 byte keys. This seemed to take care of the issue when navigating to addresses similar to https://localhost/somesite, however, if I try https://localhost:10000 it always fails with:
An error occurred during a connection to localhost.localdomain:10000. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
The certificate Signature algorithim is -> PKCS #1 SHA-1 With RSA Encryption
The public key algorithim is -> PKCS #1 RSA Encryption
The key was create on 07/06/15 for a 10 year period, It is a Version 1 cert issued by myself with the following info E = ctmattice@permitepaints.com CN = localhost OU = hq O = permite L = Stone Mountain ST = ga C = us
被采纳的解决方案
This was a webmin problem.
To fix this edit /etc/webmin/miniserv.pem replace the cert and private key sections.
Use a new generated key and self-signed cert. If you follow centOS instructions the location of the files are /etc/pki/tls/private/ca.key and /etc/pki/tls/certs/ca.crt
定位到答案原位置 👍 0所有回复 (7)
Are there more than one cert listed in the certificate manager? Is the cert using ssl3?
guigs said
Are there more than one cert listed in the certificate manager? Is the cert using ssl3?
No only one cert and ssl3 is disabled, only using TLS1.0 and above.
Fallback tls is the third version if not specified. The Dh is not specified so its not the logjam encryption vulnerability.
Could you re-creating your self-signed key?
A work around I have seen is if it works in Windows you can export the certs working in another browser and import those versions, but this does not address the immediate issue.
See if it follows the CA guidelines. Edit the big one was the recent logjam algos: https://communities.bmc.com/thread/131855
由guigs于修改
Replaced the self-signed cert, double checked no other private keys or certs were present. Still have the same issue.
Any thing with a address of https://example.com/somelink works
Tried https://example.com:443 it works as expected. The port # 10000 is typically used by webmin so I'll check over there and see if they have any reports about this
选择的解决方案
This was a webmin problem.
To fix this edit /etc/webmin/miniserv.pem replace the cert and private key sections.
Use a new generated key and self-signed cert. If you follow centOS instructions the location of the files are /etc/pki/tls/private/ca.key and /etc/pki/tls/certs/ca.crt
由ctmattice于修改
Just curious, is this on the server or a work around for a centOs pc?
This was on a server.
The problem lies within webmin and discovered when I uninstalled then reinstalled the yum repository. In the installation process they create a self-signed cert which is too weak for the lastest firefox version.