[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861185: marked as done (ssl-cert: snakeoil certs need to have Subject Alternative Names)

Your message dated Fri, 28 Apr 2017 21:06:02 +0000
with message-id <E1d4D5W-0008ek-2Y@fasolo.debian.org>
and subject line Bug#861185: fixed in ssl-cert 1.0.39
has caused the Debian Bug report #861185,
regarding ssl-cert: snakeoil certs need to have Subject Alternative Names
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

861185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861185
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: ssl-cert
Version: 1.0.35
Severity: important

Newer web browsers (Chrome 58+, Firefox 48+) are requiring that
Subject Alternative Names (SANs) be present in certificates, 
and are ignoring the Common Name (CN) field.

The snakeoils certs generated by make-ssl-cert(8) currently do not
put the SAN fields in by default (one has to use a custom tempalte).

This can be fixed by first tweaking the default ssleay.cnf file, 
and appending the following to the end:

	[ v3_req ]
	basicConstraints        = CA:FALSE
	# New content below:
	subjectAltName          = @alt_names
	DNS.1                   = @HostName@

The invocation of sed(1) in create_temporary_cnf() will then make
sure that @HostName@ will be replaced in both the CN and SAN.

The create_temporary_cnf() function also needs to be changed as there is
now the possibly of two SAN fields, so each needs to be unique:

	[ -z "$AltName" ] || echo "DNS.2=$AltName" >> $TMPFILE

The numbers don't actually matter (i.e., we could use DNS.314), as long
as they are unique.

Ideally these changes should be go into Debian 9, as browsers are using
this new behaviour right now, so we want to make sure that new installs
use new way of doing things for better compaibility for the life of 

-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ssl-cert depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  openssl                1.0.1t-1+deb8u5

ssl-cert recommends no packages.

Versions of packages ssl-cert suggests:
pn  openssl-blacklist  <none>

-- debconf information excluded

--- End Message ---
--- Begin Message ---
Source: ssl-cert
Source-Version: 1.0.39

We believe that the bug you reported is fixed in the latest version of
ssl-cert, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861185@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Stefan Fritsch <sf@debian.org> (supplier of updated ssl-cert package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Fri, 28 Apr 2017 21:58:22 +0200
Source: ssl-cert
Binary: ssl-cert
Architecture: source all
Version: 1.0.39
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
 ssl-cert   - simple debconf wrapper for OpenSSL
Closes: 861185
 ssl-cert (1.0.39) unstable; urgency=medium
   * Always put the common name also in the SubjectAltName. This is required
     to make newer web browsers happy. Closes: #861185
     The wording in the debconf questions will be adjusted later, to avoid
     having to fix so many translation shortly before the release.
 445d7714a879c54547ba50b91ddb86b0557d00d0 1644 ssl-cert_1.0.39.dsc
 bb446eac7c72a4aca95b6358e44b169a43fd8db9 26080 ssl-cert_1.0.39.tar.xz
 912b077399b9b6b2fc70f15b46a7054f809b4900 20836 ssl-cert_1.0.39_all.deb
 0e0b94f7284db33d9404c7a81999ba24d8c86fde 5633 ssl-cert_1.0.39_amd64.buildinfo
 260b6260b477c82c942491fc81c6442e43b4893dfc29e26088cad04e08a521c8 1644 ssl-cert_1.0.39.dsc
 1265a1941169ea7bb192162e311303999fbdc5f3041338957630d942f872f7bf 26080 ssl-cert_1.0.39.tar.xz
 57e66b30d0d7db7a70518b34fa1787e10f8210b327e2a39f147ee3dbf41ace85 20836 ssl-cert_1.0.39_all.deb
 b8941d948401e0095ca6508fba7b244dfb0e6106bee95e0b099a909a479bac53 5633 ssl-cert_1.0.39_amd64.buildinfo
 7c0444cf26853833a3a7ee0ba5eb5026 1644 utils optional ssl-cert_1.0.39.dsc
 86bcf9aa90c29b711523f1d925f78685 26080 utils optional ssl-cert_1.0.39.tar.xz
 3a8da7f47c33423162f1f6e86e6b1f83 20836 utils optional ssl-cert_1.0.39_all.deb
 789a0529d9b7f8b769bd2320d44434e8 5633 utils optional ssl-cert_1.0.39_amd64.buildinfo



--- End Message ---

Reply to: