Fix to use stronger defaults for generated keys

https://github.com/webmin/webmin/issues/2728
2026-06-04 20:30:22 +01:00 · 2026-05-31 20:42:33 +02:00
parent 57b1ae3b18
commit 435d2db4c6
10 changed files with 12 additions and 11 deletions
--- a/bind8/conf_zonedef.cgi
+++ b/bind8/conf_zonedef.cgi
@@ -92,7 +92,7 @@ if (&supports_dnssec()) {

 	# Default algorithm
 	print &ui_table_row($text{'zonedef_alg'},
-		&ui_select("alg", $config{'tmpl_dnssecalg'} || "RSASHA1",
+		&ui_select("alg", $config{'tmpl_dnssecalg'} || "RSASHA256",
 			   [ &list_dnssec_algorithms() ]), 3);

 	# Default size
--- a/setup.pl
+++ b/setup.pl
@@ -494,7 +494,7 @@ else {
 		$cert = &tempname();
 		$key = &tempname();
 		$addtextsup = &get_openssl_version() >= 1.1 ? "-addext subjectAltName=DNS:$host,DNS:localhost -addext extendedKeyUsage=serverAuth" : "";
-		open(SSL, "| openssl req -newkey rsa:2048 -x509 -nodes -out $cert -keyout $key -days 1825 -sha256 -subj '/CN=$host/C=US/L=Santa Clara' $addtextsup >/dev/null 2>&1");
+		open(SSL, "| openssl req -newkey rsa:4096 -x509 -nodes -out $cert -keyout $key -days 1825 -sha256 -subj '/CN=$host/C=US/L=Santa Clara' $addtextsup >/dev/null 2>&1");
 		print SSL ".\n";
 		print SSL ".\n";
 		print SSL ".\n";
--- a/setup.sh
+++ b/setup.sh
@@ -607,7 +607,7 @@ else
 			addtextsup=""
 		fi
 		# We can generate a new SSL key for this host
-		openssl req -newkey rsa:2048 -x509 -nodes -out $tempdir/cert -keyout $tempdir/key -days 1825 -sha256 -subj "/CN=$host/C=US/L=Santa Clara" $addtextsup >/dev/null 2>&1 <<EOF
+		openssl req -newkey rsa:4096 -x509 -nodes -out $tempdir/cert -keyout $tempdir/key -days 1825 -sha256 -subj "/CN=$host/C=US/L=Santa Clara" $addtextsup >/dev/null 2>&1 <<EOF
 .
 .
 .
--- a/sshd/sshd-lib.pl
+++ b/sshd/sshd-lib.pl
@@ -505,7 +505,7 @@ if ($version{'type'} eq 'openssh' && $version{'number'} >= 6.5) {
 	return "ed25519";
 	}
 if ($version{'type'} eq 'openssh' && $version{'number'} >= 3.2) {
-	return "rsa1";
+	return "rsa";
 	}
 return undef;
 }
--- a/sshd/useradmin_update.pl
+++ b/sshd/useradmin_update.pl
@@ -11,12 +11,13 @@ if ($config{'sync_create'} && &has_command($config{'keygen_path'}) &&
 	local $cmd;
 	local $type = $config{'sync_type'} || &get_preferred_key_type();
 	local $tflag = $type ? "-t $type" : "";
+	local $bflag = $type eq "rsa" ? "-b 4096" : "";
 	if ($config{'sync_pass'} && $uinfo->{'passmode'} == 3) {
-		$cmd = "$config{'keygen_path'} $tflag -P ".
+		$cmd = "$config{'keygen_path'} $tflag $bflag -P ".
 		       quotemeta($uinfo->{'plainpass'});
 		}
 	else {
-		$cmd = "$config{'keygen_path'} $tflag -P \"\"";
+		$cmd = "$config{'keygen_path'} $tflag $bflag -P \"\"";
 		}
 	&system_logged("echo '' | ".&command_as_user($uinfo->{'user'}, 0, $cmd).
 		       " >/dev/null 2>&1");
--- a/usermin/change_ssl.cgi
+++ b/usermin/change_ssl.cgi
@@ -47,7 +47,7 @@ elsif ($in{'cipher_list_def'} == 3) {
 		# Generate file needed for PFS
 		my $out = &backquote_command(
 			"openssl dhparam -out ".
-			quotemeta($miniserv{'dhparams_file'})." 2048 2>&1");
+			quotemeta($miniserv{'dhparams_file'})." 4096 2>&1");
 		if ($?) {
 			&error(&text('ssl_edhparams',
 				     "<pre>".&html_escape($out)."</pre>"));
--- a/usermin/usermin-lib.pl
+++ b/usermin/usermin-lib.pl
@@ -41,7 +41,7 @@ $latest_page_url = "$http_proto://$update_host/index6.html";
 $latest_rpm = "$http_proto://$update_host/download/usermin-latest.noarch.rpm";
 $latest_tgz = "$http_proto://$update_host/download/usermin-latest.tar.gz";

-$default_key_size = 2048;
+$default_key_size = 4096;

 $cron_cmd = "$module_config_directory/update.pl";

--- a/webmin/change_ssl.cgi
+++ b/webmin/change_ssl.cgi
@@ -47,7 +47,7 @@ elsif ($in{'cipher_list_def'} == 3) {
 		# Generate file needed for PFS
 		my $out = &backquote_command(
 			"openssl dhparam -out ".
-			quotemeta($miniserv{'dhparams_file'})." 2048 2>&1");
+			quotemeta($miniserv{'dhparams_file'})." 4096 2>&1");
 		if ($?) {
 			&error(&text('ssl_edhparams',
 				     "<pre>".&html_escape($out)."</pre>"));
--- a/webmin/letsencrypt-lib.pl
+++ b/webmin/letsencrypt-lib.pl
@@ -269,7 +269,7 @@ if ($letsencrypt_cmd) {
 			}
 		}
 	$dir =~ s/\/[^\/]+$//;
-	$size ||= 2048;
+	$size ||= 4096;
 	my $out;
 	my $common_flags = " --duplicate".
 			   " --force-renewal".
--- a/webmin/webmin-lib.pl
+++ b/webmin/webmin-lib.pl
@@ -64,7 +64,7 @@ our $third_port = $primary_port;
 our $third_page = "/cgi-bin/third.cgi";
 our $third_ssl = $primary_ssl;

-our $default_key_size = "2048";
+our $default_key_size = "4096";

 our $webmin_yum_repo_file = "/etc/yum.repos.d/webmin.repo";
 our $webmin_yum_repo_url = "https://download.webmin.com/download/newkey/yum";