Bug#862122: unblock: ssl-cert/1.0.39

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#862122: unblock: ssl-cert/1.0.39
From: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 08 May 2017 21:23:50 +0200
Message-id: <[🔎] 149427143034.12439.15417626234762626082.reportbug@k.lan>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 862122@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi release team,

Please unblock package ssl-cert

At least the current version of chrome does not accept the default
certificates generated by ssl-cert 1.0.38 anymore, because they don't
contain the host name as SubjectAltName. Therefore it makes sense to
have the new version of ssl-cert in stretch.

Debdiff is attached.

unblock ssl-cert/1.0.39

Cheers,
Stefan

diff -Nru ssl-cert-1.0.38/debian/changelog ssl-cert-1.0.39/debian/changelog
--- ssl-cert-1.0.38/debian/changelog	2016-05-29 13:44:46.000000000 +0200
+++ ssl-cert-1.0.39/debian/changelog	2017-04-28 21:58:22.000000000 +0200
@@ -1,3 +1,12 @@
+ssl-cert (1.0.39) unstable; urgency=medium
+
+  * Always put the common name also in the SubjectAltName. This is required
+    to make newer web browsers happy. Closes: #861185
+    The wording in the debconf questions will be adjusted later, to avoid
+    having to fix so many translation shortly before the release.
+
+ -- Stefan Fritsch <sf@debian.org>  Fri, 28 Apr 2017 21:58:22 +0200
+
 ssl-cert (1.0.38) unstable; urgency=medium
 
   * Update Turkish translation. Thanks to Atila KOÇ. Closes: #807559
diff -Nru ssl-cert-1.0.38/make-ssl-cert ssl-cert-1.0.39/make-ssl-cert
--- ssl-cert-1.0.38/make-ssl-cert	2016-05-29 13:39:30.000000000 +0200
+++ ssl-cert-1.0.39/make-ssl-cert	2017-04-28 21:53:33.000000000 +0200
@@ -32,8 +32,10 @@
     db_input high make-ssl-cert/altname || true
     db_go
     db_get make-ssl-cert/altname
-    AltName="$RET"
+    AddAltName="$RET"
     db_fset make-ssl-cert/altname seen false
+    SubjectAltName="DNS:$HostName"
+    [ -z "$AddAltName" ] || SubjectAltName="$SubjectAltName,$AddAltName"
 }
 
 make_snakeoil() {
@@ -44,15 +46,14 @@
         echo make-ssl-cert: 'make-ssl-cert generate-default-snakeoil --force-overwrite'
         echo make-ssl-cert: again.
     fi
+    SubjectAltName="DNS:$HostName"
     if [ ${#HostName} -gt 64 ] ; then
-        AltName="DNS:$HostName"
         HostName="$(hostname)"
     fi
 }
 
 create_temporary_cnf() {
-    sed -e s#@HostName@#"$HostName"# $template > $TMPFILE
-    [ -z "$AltName" ] || echo "subjectAltName=$AltName" >> $TMPFILE
+    sed -e s#@HostName@#"$HostName"# -e s#@SubjectAltName@#"$SubjectAltName"# $template > $TMPFILE
 }
 
 # Takes two arguments, the base layout and the output cert.
diff -Nru ssl-cert-1.0.38/ssleay.cnf ssl-cert-1.0.39/ssleay.cnf
--- ssl-cert-1.0.38/ssleay.cnf	2016-05-29 13:39:30.000000000 +0200
+++ ssl-cert-1.0.39/ssleay.cnf	2017-04-28 21:54:35.000000000 +0200
@@ -18,3 +18,4 @@
 
 [ v3_req ]
 basicConstraints        = CA:FALSE
+subjectAltName          = @SubjectAltName@

Reply to:

Follow-Ups:
- Bug#862122: marked as done (unblock: ssl-cert/1.0.39)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#862026: marked as done (unblock: ntp/1:4.2.8p10+dfsg-2 (pre-approval))
Next by Date: Upgrade from Debian 8.6 to 8.8
Previous by thread: Bug#862108: marked as done (unblock: golang-github-seccomp-libseccomp-golang/0.0~git20150813.0.1b506fc-2)
Next by thread: Bug#862122: marked as done (unblock: ssl-cert/1.0.39)
Index(es):
- Date
- Thread