[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861185: ssl-cert: snakeoil certs need to have Subject Alternative Names

Package: ssl-cert
Version: 1.0.35
Severity: important

Newer web browsers (Chrome 58+, Firefox 48+) are requiring that
Subject Alternative Names (SANs) be present in certificates, 
and are ignoring the Common Name (CN) field.

The snakeoils certs generated by make-ssl-cert(8) currently do not
put the SAN fields in by default (one has to use a custom tempalte).

This can be fixed by first tweaking the default ssleay.cnf file, 
and appending the following to the end:

	[ v3_req ]
	basicConstraints        = CA:FALSE
	# New content below:
	subjectAltName          = @alt_names
	DNS.1                   = @HostName@

The invocation of sed(1) in create_temporary_cnf() will then make
sure that @HostName@ will be replaced in both the CN and SAN.

The create_temporary_cnf() function also needs to be changed as there is
now the possibly of two SAN fields, so each needs to be unique:

	[ -z "$AltName" ] || echo "DNS.2=$AltName" >> $TMPFILE

The numbers don't actually matter (i.e., we could use DNS.314), as long
as they are unique.

Ideally these changes should be go into Debian 9, as browsers are using
this new behaviour right now, so we want to make sure that new installs
use new way of doing things for better compaibility for the life of 

-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ssl-cert depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  openssl                1.0.1t-1+deb8u5

ssl-cert recommends no packages.

Versions of packages ssl-cert suggests:
pn  openssl-blacklist  <none>

-- debconf information excluded

Reply to: