Re: Using the SSL snakeoil certificate
On (03/07/06 23:34), Petter Reinholdtsen wrote:
>
> [Jaldhar H. Vyas]
> > Is this is a good idea for Debian? I think it is but it doesn't make
> > sense to switch dovecot over unless all the other ssl-cert using
> > packages also do it. Is this possible in the etch timeframe?
>
> Yes, it is a good idea to make the SSL certificate handling in Debian
> packages more consistent. In Debian-Edu, we install and automatically
> configure several services with SSL certiciates, like imap, ldap and
> webmin, and it is a pain to handle all the ways SSL-certificates are
> generated. :)
>
So, as this proposal seemed to provoke a response that was somewhere
between non-caring and enthusiastic I thought I would look in to the
possibility of doing this.
An estimate of the pacakages that generate a certificate in postinst
(lets hope there are none that include them in the package) I tried:
$ grep-available -FDepends openssl -sPackage -n | sort
apache-ssl
apache2-common
ca-certificates
courier-imap-ssl
courier-ssl
dovecot-common
dsniff
ejabberd
exim-tls
freeswan
ftpd-ssl
httping
ipopd
libapache-mod-ssl
libmultisync-plugin-syncml
nessusd
openoffice.org-core
partimage-server
python-pyopenssl
ssl-cert
ssleay
sslwrap
stone-ssl
stunnel
stunnel4
telnetd-ssl
tinyca
ultrapossum-tls
usermin
uw-imapd
webmin
which is a reasonable number (especially as some of these will be
false-posistives). So then to see how ssl-cert is actually used I
downloaded the source of apache2 and looked in
debian/apache2-common.postinst where I found
# Make self-signed certificate
#if [ ! -f /etc/apache2/ssl/apache.pem ]
#then
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf
# /etc/apache2/ssl/apache.pem
#fi
So looking in the changelog.debian I found the following
apache2 (2.0.48-8) unstable; urgency=low
* Disable ssl-cert until it sucks less. related to 230791 (closes: #231726)
-- Thom May <thom@debian.org> Mon, 2 Feb 2004 12:47:10 +0000
(that is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230791 and
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231726,
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ssl-cert is also
quite enlightening)
So, it seems the only packages in Debian that use ssl-cert don't
actually at the moment.
So it seems like ssl-cert needs some work before it can be used by more
packages. The maintainers of ssl-cert are the apache maintainers
themselves, so it doesn't look like they'll be sorting it out soon.
I am willing to work a bit on getting it in to shape, does anyone want
to volunteer to help out and then create patches for all the necessary
packages?
James
--
James Westby
jw+debian@jameswestby.net
http://jameswestby.net/
Reply to: