What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Does the SSL Certificate sensor correctly evaluate the key length of ECC certificates?

Votes:

0

The release notes say that PRTG version 18.1.37 includes a fix for the SSL Certificate sensor that affects monitoring ECC based certificates.

Can you please explain what exactly you fixed? Do I have to pay attention to anything after updating my PRTG to version 18.1.37?

bugfix ecc-certificate prtg public-key-length release-notes ssl-certificate

Created on Jan 19, 2018 1:04:17 PM by Gerald Schoch [Paessler Support]

Last change on Jan 19, 2018 1:04:37 PM by Gerald Schoch [Paessler Support]

Permalink

1 Reply

Accepted Answer

Votes:

0

This article applies to PRTG Network Monitor 18.1.37 or later

SSL Certificate Sensors and ECC Certificates: Fix for Public Key Length Monitoring

The SSL Certificate sensor monitors the certificate of a secure connection and can show, for example, the length of the public key in a dedicated sensor channel. Depending on the type of cryptography (ECC or RSA) and the length of the key, the channel shows a suitable sensor status.

In certain cases, the sensor reported an unsafe public key length for ECC (Elliptic Curve Cryptography) based certificates although the key length fulfilled the requirements for a good security rating.

We fixed this behavior in PRTG version 18.1.37.

Reasons for the Issue

The length of an ECC based certificate is defined by its curve algorithm and the length of the coordinates on the curve. There are two points to consider:

The RFC defines that coordinates take up to n bits of length, where n is half the total key length.
Leading zeros (0) in coordinates can be cut. This is the reason why a direct check of the key length would fail. The values are too short in such cases.

This is what caused the issue with key length checks of the SSL Certificate sensor in PRTG versions before 18.1.37.

Example

The certificate of blog.example.com is an sha256ECDSA certificate with the ECDSA_P256 key algorithm. This means that the key length should be 256 bits.

Consider the following sample coordinates x and y for the certificate. Note that the x coordinate misses 2 characters for the full length.

x = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA y = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

The SSL Certificate sensor could not properly handle such cases before the fix and failed. The sensor only evaluated the length of the x coordinate, so the evaluated length was just half the actual key length (128 bits).

Because the sample x coordinate is missing 2 characters to the full possible length, the evaluated key length (124 bits) is below the defined value for good security in the default lookup file of the sensor channel. The lookup required 128 bits or more for a good security rating.

PRTG version 18.1.37 fixes the issue. The SSL Certificate sensor will now show a good security rating in such cases.

Do I Have to Pay Attention to Anything when Updating to the Fixed Version?

If you were not affected by this error in previous versions or you just ignored it, update PRTG and existing or newly created SSL Certificate sensors will show a green up status even if such cases occur.

If you have changed the lookup file to manually avoid such issues with the key length of ECC certificates, please choose the original lookup file again after the update.

Open the channel settings of the SSL Certificate sensor channel Public Key Length.
In section Value Lookup choose the original lookup prtg.standardlookups.sslcertificatesensor.publickeyecc
Save your changes.

Add comment

Created on Jan 19, 2018 1:23:29 PM by Gerald Schoch [Paessler Support]