Bug#861185: ssl-cert: snakeoil certs need to have Subject Alternative Names
Newer web browsers (Chrome 58+, Firefox 48+) are requiring that
Subject Alternative Names (SANs) be present in certificates,
and are ignoring the Common Name (CN) field.
The snakeoils certs generated by make-ssl-cert(8) currently do not
put the SAN fields in by default (one has to use a custom tempalte).
This can be fixed by first tweaking the default ssleay.cnf file,
and appending the following to the end:
[ v3_req ]
basicConstraints = CA:FALSE
# New content below:
subjectAltName = @alt_names
DNS.1 = @HostName@
The invocation of sed(1) in create_temporary_cnf() will then make
sure that @HostName@ will be replaced in both the CN and SAN.
The create_temporary_cnf() function also needs to be changed as there is
now the possibly of two SAN fields, so each needs to be unique:
[ -z "$AltName" ] || echo "DNS.2=$AltName" >> $TMPFILE
The numbers don't actually matter (i.e., we could use DNS.314), as long
as they are unique.
Ideally these changes should be go into Debian 9, as browsers are using
this new behaviour right now, so we want to make sure that new installs
use new way of doing things for better compaibility for the life of
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ssl-cert depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii openssl 1.0.1t-1+deb8u5
ssl-cert recommends no packages.
Versions of packages ssl-cert suggests:
pn openssl-blacklist <none>
-- debconf information excluded