[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: An initial attempt to help with SSL-related bugs

On Tue Apr 15, 2008 at 22:15:18 +0200, Stefan Fritsch wrote:

> >    - Suggestion:
> >      1. Update the sites-available/default to include SSL options.
> 

> Yes, but how? Put all common options into an include file and include 
> it in each of the two virtual hosts (like Message #132 in the bug)? 

  No.

> Maybe using two files sites-available/default and 
> sites-available/default-ssl would be better even.

  Yes.

> And what virtualhost setup to use? The most correct one would be 
> NameVirtualHost *:80
> <VirtualHost *:80>
> ...
> <VirtualHost _default_:443>
> ...
> 
> because the ssl virtual host is IP/port based, not name based. OTOH 
> this could create headaches on upgrade.

  Yes.  But I think that people who actually want to use the Apache
 package(s) are aware of how to disable sites they don't want, so
 adding it in as a new file should be reasonable.

> BTW, the NameVirtualHost statement should go into ports.conf (there is 
> another bug about this, too).

  Agreed.

> >      2. Update "a2enmod" so that if "a2enmod ssl" is executed then
> >         a new certificate is generated via openssl | ssl-cert if
> >         the referenced one isn't already present.
> 
> I would prefer a separate script. But "a2enmod ssl" could print a 
> pointer to that script.

  OK.  I'd be happy to do that.


> > #398520 missing /usr/sbin/apache2-ssl-certificate
> >
> >    - Reinstate script, as a wrapper around openssl, or the new
> >      ssl-cert package.
> >      Question:  Why was this removed?  Can we not re-add it?
> >
> 
> Don't know, I wasn't around then. One should look at it if it does 
> something differently than ssl-cert.

  That ties in with the a2enmod change above I guess.

> > #260063 apache2: suggestion to add new file - conf.d/security.conf
> >
> >    - I would add this file with the suggested comments.  I'd also
> > suggest adding comments here about things such as:
> >        1. ServerTokens Minimal
> >        2. ServerSignature Off
> 
> I am undecided about this. If yes, traceenable would be another 
> candidate. 

  Agreed.  I think it is worth adding, because it provides a
 nice centralized place for this kind of setting.

> >      (If this were done  #341022 could be closed.)
> 
> Denying "/" by default would definitely need a NEWS entry, because it 
> would break quite a few setups.

  Agreed.

> >     1.  Are these suggested solutions reasonable?
> Sure.

  Great.

> >     2.  If so should I submit patches to the list / the relevant
> >        bugs / do something else?
> 
> I think mailing patches to the bugs would be best for a start.

  I'll do that, but I always feel that its a little piecemeal
 doing it that way, because there are disparate changes which
 must be taken together.

  Anyway I'll make some changes against the version of apache2
 in sid, and follow up on these bugs.

  I'll close the four we've agreed are obsolete tomorrow to give
 anybody else chance to object.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Reply to: