Bug#464930: ssl-cert: please use 'hostname -f' in /usr/sbin/make-ssl-cert

To: submit@bugs.debian.org
Subject: Bug#464930: ssl-cert: please use 'hostname -f' in /usr/sbin/make-ssl-cert
From: Steve Langasek <steve.langasek@canonical.com>
Date: Sat, 9 Feb 2008 14:25:11 -0800
Message-id: <[🔎] 20080209222511.GG31544@dario.dodds.net>
Reply-to: Steve Langasek <steve.langasek@canonical.com>, 464930@bugs.debian.org

Package: ssl-cert
Version: 1.0.14
Severity: important
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: ubuntu-patch origin-ubuntu hardy

make-ssl-cert currently uses 'hostname' to set the cn of the default snake
oil certificate.  This results in a cn set to a relative hostname, not an
FQDN (which would be given by 'hostname -f').  This yields a suboptimal
certificate: OpenLDAP, for instance, will map 'localhost' to the fqdn when
verifying certificates, which will properly fail to match the relative
hostname in most cases, and there's also the issue that having a certificate
that only works with the relative hostname ensures that users will only
/connect/ using the relative hostname, opening a subtle attack vector in the
form of hostname collisions in the domain search list.

The attached patch implements this change in the most trivial fashion.
However, it's probably also reasonable to have the unqualified hostname as
an alternative name in the certificate for convenience; in that case, it
makes sense to add a subjectAlternativeName to the snakeoil cert as well,
including the value of $(hostname).  If you prefer, I can look at
implementing this.

Incidentally, is this package actually maintained today?  I notice that the
maintainer is listed as "Debian Apache Maintainers", and that none of the
uploaders listed have been active in Apache maintenance for some time...

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

diff -Nru ssl-cert-1.0.14/debian/changelog ssl-cert-1.0.14/debian/changelog
--- ssl-cert-1.0.14/debian/changelog	2007-02-02 22:47:27.000000000 -0800
+++ ssl-cert-1.0.14/debian/changelog	2008-02-09 14:15:27.000000000 -0800
@@ -1,3 +1,13 @@
+ssl-cert (1.0.14-0.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Use 'hostname -f' for the snakeoil CN instead of 'hostname', since
+    relative hostnames are subject to namespace collisions that could be
+    exploited (and also because OpenLDAP doesn't care for them when
+    connecting to localhost).
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 09 Feb 2008 22:13:25 +0000
+
 ssl-cert (1.0.14) unstable; urgency=low
 
   * Non-maintainer upload to fix pending l10n issues.
diff -Nru /tmp/jDzpFqLCPH/ssl-cert-1.0.14/make-ssl-cert /tmp/rrqcQpBL77/ssl-cert-1.0.14/make-ssl-cert
--- ssl-cert-1.0.14/make-ssl-cert	2006-05-18 05:02:20.000000000 -0700
+++ ssl-cert-1.0.14/make-ssl-cert	2008-02-09 14:15:45.000000000 -0800
@@ -56,7 +56,7 @@
      LocalityName="Everywhere"
      OrganisationName="OCOSA"
      OUName="Office for Complication of Otherwise Simple Affairs"
-     HostName="$(hostname)"
+     HostName="$(hostname -f)"
      Email="root@$HostName"
 }

Reply to:

Follow-Ups:
- Bug#464930: marked as done (ssl-cert: please use 'hostname -f' in /usr/sbin/make-ssl-cert)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#191237: Adobe Photoshop CS3 Extended MAC/XP/Vista for 89, Retai1s @ 999 (keep 909)
Next by Date: Bug#261349: make-ssl-cert script hangs
Previous by thread: Bug#191237: Adobe Photoshop CS3 Extended MAC/XP/Vista for 89, Retai1s @ 999 (keep 909)
Next by thread: Bug#464930: marked as done (ssl-cert: please use 'hostname -f' in /usr/sbin/make-ssl-cert)
Index(es):
- Date
- Thread