[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using the SSL snakeoil certificate

Jaldhar H. Vyas wrote:
> In bug #376146, Martin Pitt wrote:
> > In an effort to clean up the SSL certificate mess on Ubuntu servers, we
> > recently converted all our supported Server packages to make use of
> > the ssl-cert package instead of creating a package-specific
> > self-signed SSL certificate. This allows admins to easily replace the
> > certificate with a 'real' one without touching dozens of configuration
> > files, and also provides a consistent setup out of the box.
> Is this is a good idea for Debian?  I think it is but it doesn't make sense 
> to switch dovecot over unless all the other ssl-cert using packages also do 
> it. Is this possible in the etch timeframe?

I believe that this is a good idea, however, I would like to propose a
slightly different approach.

At the moment, it seems that all applications use their own
certificates and maybe also create them upon installation or rather

It may be useful to have a certificate for each service, but it may
also be useful to have one certificate for all services.  This may be
discussible but needs to be decided by the local admin anyway.  Hence,
we should try to make both ways easily implementable, especially if
the system is to be reviewed or redesigned.

Hence, I propose to stay with virtual per-service certificates, but to
link them to the common snakeoil certificate from ssl-certificates
during configuration and only if there is no other setting.

For example:

  Dovecot uses </etc/ssl/certs/dovecot.pem>.

  This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if
  the above file or link does not exist during configuration of

That way, the admin can easily replace the symlink with a real
certificate if they want per-service certificates.

If, however, they want to have one real certificate for everything,
they can replace the snakeoil certificate like Martin Pitt proposed.

I would like to see some coordination between maintainers of packages
that use or create such certificates.  It'll take a while to implement
this anyway, so if only a few packages start and others follow later,
that'd be an improvement anyway.



Open source is important from a technical angle.             -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Reply to: