Bug#861185: marked as done (ssl-cert: snakeoil certs need to have Subject Alternative Names)
Your message dated Fri, 28 Apr 2017 21:06:02 +0000
with message-id <E1d4D5W-0008ek-2Y@fasolo.debian.org>
and subject line Bug#861185: fixed in ssl-cert 1.0.39
has caused the Debian Bug report #861185,
regarding ssl-cert: snakeoil certs need to have Subject Alternative Names
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
861185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861185
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: ssl-cert
Version: 1.0.35
Severity: important
Newer web browsers (Chrome 58+, Firefox 48+) are requiring that
Subject Alternative Names (SANs) be present in certificates,
and are ignoring the Common Name (CN) field.
The snakeoils certs generated by make-ssl-cert(8) currently do not
put the SAN fields in by default (one has to use a custom tempalte).
This can be fixed by first tweaking the default ssleay.cnf file,
and appending the following to the end:
[...]
[ v3_req ]
basicConstraints = CA:FALSE
# New content below:
subjectAltName = @alt_names
[alt_names]
DNS.1 = @HostName@
The invocation of sed(1) in create_temporary_cnf() will then make
sure that @HostName@ will be replaced in both the CN and SAN.
The create_temporary_cnf() function also needs to be changed as there is
now the possibly of two SAN fields, so each needs to be unique:
[ -z "$AltName" ] || echo "DNS.2=$AltName" >> $TMPFILE
The numbers don't actually matter (i.e., we could use DNS.314), as long
as they are unique.
Ideally these changes should be go into Debian 9, as browsers are using
this new behaviour right now, so we want to make sure that new installs
use new way of doing things for better compaibility for the life of
stretch.
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ssl-cert depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii openssl 1.0.1t-1+deb8u5
ssl-cert recommends no packages.
Versions of packages ssl-cert suggests:
pn openssl-blacklist <none>
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: ssl-cert
Source-Version: 1.0.39
We believe that the bug you reported is fixed in the latest version of
ssl-cert, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861185@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated ssl-cert package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 28 Apr 2017 21:58:22 +0200
Source: ssl-cert
Binary: ssl-cert
Architecture: source all
Version: 1.0.39
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
ssl-cert - simple debconf wrapper for OpenSSL
Closes: 861185
Changes:
ssl-cert (1.0.39) unstable; urgency=medium
.
* Always put the common name also in the SubjectAltName. This is required
to make newer web browsers happy. Closes: #861185
The wording in the debconf questions will be adjusted later, to avoid
having to fix so many translation shortly before the release.
Checksums-Sha1:
445d7714a879c54547ba50b91ddb86b0557d00d0 1644 ssl-cert_1.0.39.dsc
bb446eac7c72a4aca95b6358e44b169a43fd8db9 26080 ssl-cert_1.0.39.tar.xz
912b077399b9b6b2fc70f15b46a7054f809b4900 20836 ssl-cert_1.0.39_all.deb
0e0b94f7284db33d9404c7a81999ba24d8c86fde 5633 ssl-cert_1.0.39_amd64.buildinfo
Checksums-Sha256:
260b6260b477c82c942491fc81c6442e43b4893dfc29e26088cad04e08a521c8 1644 ssl-cert_1.0.39.dsc
1265a1941169ea7bb192162e311303999fbdc5f3041338957630d942f872f7bf 26080 ssl-cert_1.0.39.tar.xz
57e66b30d0d7db7a70518b34fa1787e10f8210b327e2a39f147ee3dbf41ace85 20836 ssl-cert_1.0.39_all.deb
b8941d948401e0095ca6508fba7b244dfb0e6106bee95e0b099a909a479bac53 5633 ssl-cert_1.0.39_amd64.buildinfo
Files:
7c0444cf26853833a3a7ee0ba5eb5026 1644 utils optional ssl-cert_1.0.39.dsc
86bcf9aa90c29b711523f1d925f78685 26080 utils optional ssl-cert_1.0.39.tar.xz
3a8da7f47c33423162f1f6e86e6b1f83 20836 utils optional ssl-cert_1.0.39_all.deb
789a0529d9b7f8b769bd2320d44434e8 5633 utils optional ssl-cert_1.0.39_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlkDoXcACgkQxodfNUHO
/eAkwA/7B6m6w99ZKwF+KHCYvR/CAsLOMIyTWJ//lrIUnsYzMTbmSHTinDBt8L8J
IlhuDoxa3d80C/ABfA7XV/+dgDH+ysueCATaqvXPbQuyqkuJcrxJ+9e/02T4/r4m
sJEoUtM2dSM2UPnfxQ1FsEd7Sfpz8LvfOB+C36bTjUSXUPiDb5GVYRB44ixekDYi
hks0miPWx7yDhEqNd1uGapCXCzim1av2YACFu8Tt0fSvh0BlsVlw5lJvNnguvuHq
vIQXW7hM6mWFULZJeRSZPKobmaPsxKc2kFrXnPtkMZCsnv9vnwPUHRsNoLpBZG+c
c6OEIhyMqWDf94Z1kQbpIS84sx8yFozjPNN7qvzIvq1IwAoq2j1igq1dwdJ4GFgj
QFtogoshiXNSFALKPcZUG3rB0Vpun9p19geAEbmjzD+90ZuLnPagUy+329hQcBUV
WZjmI0Crc55R4n+GL1Ssv+8he1WTp2rj0vLbNWhzwd2InCM7jrRy2bxyH7vNY4KQ
JfxvwQ3m4Xc8jr/aJL0xdKy9qVeJ4AZMeBww8s3/+XMWqkLla0/nN3jnvqN/epMy
inWKzgT10nt9LVIZKm7qJfbPdOPu11TfJUgQ1qolyKio4j/KTroY+RQEOfxDJz0N
G79tavSVvw0g98BiyoJD52TOa7F80jysMZJn7pdVTRkfAkZrT4Q=
=OVnD
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: