Re: Using the SSL snakeoil certificate

To: debian-devel@lists.debian.org
Subject: Re: Using the SSL snakeoil certificate
From: James Westby <jw+debian@jameswestby.net>
Date: Mon, 3 Jul 2006 23:17:19 +0100
Message-id: <[🔎] 20060703221719.GB32037@jameswestby.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 2fly7vatlsx.fsf@saruman.uio.no>
References: <Pine.LNX.4.64.0606301049500.29534@jaldhar-laptop> <[🔎] 2fly7vatlsx.fsf@saruman.uio.no>

On (03/07/06 23:34), Petter Reinholdtsen wrote:
> 
> [Jaldhar H. Vyas]
> > Is this is a good idea for Debian?  I think it is but it doesn't make
> > sense to switch dovecot over unless all the other ssl-cert using
> > packages also do it. Is this possible in the etch timeframe?
> 
> Yes, it is a good idea to make the SSL certificate handling in Debian
> packages more consistent.  In Debian-Edu, we install and automatically
> configure several services with SSL certiciates, like imap, ldap and
> webmin, and it is a pain to handle all the ways SSL-certificates are
> generated. :)
> 

So, as this proposal seemed to provoke a response that was somewhere 
between non-caring and enthusiastic I thought I would look in to the
possibility of doing this.

An estimate of the pacakages that generate a certificate in postinst
(lets hope there are none that include them in the package) I tried:

$ grep-available -FDepends openssl -sPackage -n | sort

    apache-ssl
    apache2-common
    ca-certificates
    courier-imap-ssl
    courier-ssl
    dovecot-common
    dsniff
    ejabberd
    exim-tls
    freeswan
    ftpd-ssl
    httping
    ipopd
    libapache-mod-ssl
    libmultisync-plugin-syncml
    nessusd
    openoffice.org-core
    partimage-server
    python-pyopenssl
    ssl-cert
    ssleay
    sslwrap
    stone-ssl
    stunnel
    stunnel4
    telnetd-ssl
    tinyca
    ultrapossum-tls
    usermin
    uw-imapd
    webmin

which is a reasonable number (especially as some of these will be
false-posistives). So then to see how ssl-cert is actually used I
downloaded the source of apache2 and looked in
debian/apache2-common.postinst where I found 

  # Make self-signed certificate
  #if [ ! -f /etc/apache2/ssl/apache.pem ]
  #then
  #        /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf
  #        /etc/apache2/ssl/apache.pem
  #fi

So looking in the changelog.debian I found the following

  apache2 (2.0.48-8) unstable; urgency=low
  * Disable ssl-cert until it sucks less. related to 230791 (closes: #231726)
   -- Thom May <thom@debian.org>  Mon,  2 Feb 2004 12:47:10 +0000

  (that is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230791 and
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231726, 
   http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ssl-cert is also 
   quite enlightening)

So, it seems the only packages in Debian that use ssl-cert don't
actually at the moment.

So it seems like ssl-cert needs some work before it can be used by more
packages. The maintainers of ssl-cert are the apache maintainers
themselves, so it doesn't look like they'll be sorting it out soon.

I am willing to work a bit on getting it in to shape, does anyone want
to volunteer to help out and then create patches for all the necessary
packages?

James

-- 
  James Westby
  jw+debian@jameswestby.net
  http://jameswestby.net/

Reply to:

Follow-Ups:
- Re: Using the SSL snakeoil certificate
  - From: "Uwe A. P. Würdinger" <wuerdinger@highspeed-firewall.de>

References:
- Re: Using the SSL snakeoil certificate
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: #195752: Can somebody mark this bug as grave or critical?
Next by Date: Re: #195752: Can somebody mark this bug as grave or critical?
Previous by thread: Re: Using the SSL snakeoil certificate
Next by thread: Re: Using the SSL snakeoil certificate
Index(es):
- Date
- Thread