SA Bugzilla – Bug 7807
t/spamd_ssl.t fails due to small key size
Last modified: 2020-04-10 07:47:46 UTC
On RHEL/Centos 8, due to its default crypto policy, the 'tests t/spamd_ssl.t' and 't/spamd_ssl_accept_fail.t' fail, because the key in the certificate (t/data/etc/testhost.cert, t/data/etc/testhost.key) is too small. I've confirmed this with a small sample program that loads the certificate. The program fails with the following error: 140561996314432:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:310 If I generate my own key/certificate using e.g. the following, the tests pass. openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout testhost.key openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout testhost.key -out testhost.cert Can you please generate a new test key/certificate that is larger and add it to the repository? Thanks!
Created attachment 5695 [details] proposed fix The attached patch against the 3.4 branch includes a new certificate. It also updates the tests to use a unprivileged TCP port, allowing them to execute as non root users. (bz #7763) I haven't tried to apply this against trunk.
Thanks! This fixes the problem for me with the 3.4 version.
Cert updated Sending spamassassin-3.4/t/data/etc/testhost.cert Sending spamassassin-3.4/t/data/etc/testhost.key Sending trunk/t/data/etc/testhost.cert Sending trunk/t/data/etc/testhost.key Transmitting file data ....done Committing transaction... Committed revision 1876347.