Bug#790943: [ssl-cert] Root and local certificate location clash

To: 790943@bugs.debian.org
Subject: Bug#790943: [ssl-cert] Root and local certificate location clash
From: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Date: Mon, 28 Sep 2015 13:09:11 +0100
Message-id: <[🔎] 56092DE7.8010301@gmail.com>
Reply-to: Alan Jenkins <alan.christopher.jenkins@gmail.com>, 790943@bugs.debian.org
In-reply-to: <55964E56.9030500@pocock.pro>
References: <55964E56.9030500@pocock.pro> <55964E56.9030500@pocock.pro>

On Fri, 03 Jul 2015 10:56:54 +0200 Daniel Pocock <daniel@pocock.pro> wrote:
> Package: ssl-cert
> Version: 1.0.35

> This package provides the script /usr/sbin/make-ssl-cert
>
> It creates certificates and puts the public key / certificate PEM file
> in /etc/ssl/certs
>
> The ca-certificates package puts symlinks to CA certificates in the same
> location, /etc/ssl/certs
>
> Some other packages refer to /etc/ssl/certs as a directory of trusted
> roots.

> Some people suggest using /etc/ssl/ssl.crt or /etc/ssl/public for local
> certificate files.
>
> I did a Google search to try and find out of there is a policy about
> this directory and no results were found. So I can't say that this
> package is violating any specific policy or what should be done to fix
> it, but I do feel the status quo is troublesome.

+1.

/etc/ssl/certs is generated by ca-certificates, I don't think it shouldbe modified by anyone else. I found a weird bug/conflict as a result.

Debian Jessie provides this awesomely convenient setup for Apache. Youcan literally just enable SSL, and it uses the "snakeoil" (self-signed)certificate created by ssl-cert. (Then Iceweasel/Firefox let you addthe server cert when you visit).

I'm looking at trusting the snakeoil cert (to get secure Owncloudsync). I tested curl from the server to itself - certificate error.But the snakeoil cert is already in /etc/ssl/certs, so how does thisactually work[*]? curl --cacert <certificate file> works fine. Let'spoke around...


update-ca-certificates # no change

update-ca-certificates --fresh # now curl works! without specifying anyoptions.

`update-ca-certificates --fresh` is only documented to remove any stalesymlinks. It shouldn't suddenly change the trust status of the defaultsnakeoil! It's not a massive security problem because the snakeoilisn't a CA cert. But it's obviously unintended and surprising behavior.

You could argue it suggests sloppy coding in ca-certificates as well,but ssl-cert's behavior is just asking for trouble.

[*] The "standard", documented way is to copy certs to/usr/local/share/ca-certificates (huh?) and run update-ca-certificates.


> Should local certs go in some other directory,

+1

> or should other packages
> stop trusting everything in /etc/ssl/certs?

Btw I don't mind an extra step to trust local certs, so long as there'sa documented method I can have confidence in.


Alan

Reply to:

Prev by Date: Processed: Re: [php-maint] Bug#799630: libapache2-mod-php5: changes apache MPM event if disabled
Previous by thread: Processed: Re: [php-maint] Bug#799630: libapache2-mod-php5: changes apache MPM event if disabled
Index(es):
- Date
- Thread