Changes between Version 1 and Version 2 of ReplacingCertificates


Ignore:
Timestamp:
Jan 8, 2019, 11:04:46 PM (13 days ago)
Author:
chris
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ReplacingCertificates

    v1 v2  
    66They also allow the client (bbackupd) to verify that it is connecting to the correct server, not an imposter, who could not decrypt the encrypted data, but could substitute bad data instead, or delete existing backups.
    77
    8 Box Backup uses X.509 certificates, which are generated on the server and clients. They are signed by a Certificate Authority, usually a private (free) one created by the included scripts, which should be kept on a separate machine to all servers and clients, strongly protected from the Internet, and with an encrypted disk.
     8Box Backup uses X.509 certificates, which are generated on the server and clients. They are signed by a Certificate Authority (CA), usually a private (free) one created by the included scripts, which should be kept on a separate machine to all servers and clients, strongly protected from the Internet, and with an encrypted disk.
    99
    10 The certificates generated by Box Backup expire in the year 2038 for server certificates, and 5000 days (13 years) for client certificates. Sometimes it may be necessary to generate new certificates. For example, if a client or server is compromised, it needs a new certificate. If the CA is compromised, a new one should be created (on a fresh, secure box) and all certificates generated by the old one and still in use should be replaced.
     10== When to replace ==
     11
     12The certificates generated by Box Backup expire in the year 2038 for server certificates, and 5000 days (13 years) for client certificates. Sometimes it may be necessary to generate new certificates, for example when they expire.
     13
     14If a client or server is compromised, it needs a new certificate. If the CA is compromised, a new one should be created (on a fresh, secure box) and all certificates generated by the old one and still in use should be replaced. (This is a pain, which is why you should keep the CA really secure, to avoid the need to do this.)
     15
     16== Debian Security Level Update ==
    1117
    1218Also, sometimes the powers that be (e.g. OpenSSL, Debian) decide that the previous standard encryption key length or algorithm is no longer enough, and should be considered insecure from now on. This is usually because of advances in computing power, but could also happen if a weakness is discovered in a cryptographic algorithm. It is a subjective decision based on the estimated time, cost and energy of breaking the encryption on data using that key length or algorithm dropping below an arbitrary threshold.
     
    1622* Server and client [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907135 fail to start], with the error TLSLoadCertificatesFailed: SSL or crypto error: loading certificates from testfiles/clientCerts.pem: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small.
    1723* Test/basicserver and other tests that use bbstored will fail because of this.
     24
     25=== Workaround ===
    1826
    1927You can work around this by editing `/etc/ssl/openssl.cnf` and finding the following section (at the end of the file):
     
    2735and changing `SECLEVEL=2` to `SECLEVEL=1`. However you would be going against Debian's recommendations by doing this, and it also affects (reduces the security level of) the whole system, not just Box Backup.
    2836
     37=== Solution ===
     38
    2939Before (an unreleased version) it was not possible to configure the cipher strength specifically in Box Backup, without modifying the source and recompiling. It now is possible, but also, older versions can still use certificates and keys generated by this version and later, which are also compatible with Debian's new stricter security level. Therefore we recommend that you at least use this version (or later) to generate new CA, server and client certificates for the affected system(s) and any that they connect to.
    3040
    3141This may require you to replace the CA certificate on all clients.
    3242
     43== Procedure ==
     44
    3345To actually generate new certificates, upgrade the version of Box Backup on your CA (at least) to (unreleased version) and then follow the [wiki:CertificatesAndAccountsManagement Certificates and Account Management] instructions to create a new CA, and new certificates for the server(s) and client(s). You can generate all the certificates and keys on the CA, you don't need to upgrade all the servers and clients just so that they can generate the new, stronger certificates.