Monthly Archives: October 2014

Adding SHA-2 to tinyca

Google has announced a sunset for SHA-1 certificate signatures in Chrome. SHA-2 (aka SHA-256, SHA-384, and SHA-512) is the remaining option for certificate signatures. I decided to upgrade my certificates to SHA-2 (256 bits). However, when I tried to use tinyca2 to generate a SHA-2 certificate, I found it was not supported.

As tinyca2 is a Perl package, I looked at the code to see how difficult it would be to update. The code is easy to read and well modularized. Adding the SHA-2 involves changes to the GUI, REQ, CERT, and OpenSSL components. I updated six files, although support can be added with fewer.

Patches are attached at the end of this post.  An additional patch to apply the selected digest when creating sub-CAs (thanks to C├ędric Dufour) has been included.
Continue reading

Disabling SSLv3 to block Poodle

The new Poodle vulnerability lead me to disable SSLv3 on my Ubuntu server. I have TLS/SSL enabled on three services: apache2, exim4, and dovecot2. Each service required a different method to disable SSLv3.

Ubuntu uses configuration files split into small pieces. The method should apply to other distributions, although the configuration files may be arranged differently. Continue reading