Generating SSL certificates in postinst

To: debian-devel@lists.debian.org
Subject: Generating SSL certificates in postinst
From: Sergei Golovan <sgolovan@nes.ru>
Date: Mon, 13 Sep 2010 12:25:48 +0400
Message-id: <[🔎] AANLkTimkA_NEj5b+VVoQn8Jm6S=RonaUW=TUsQ89BZEG@mail.gmail.com>

Hi!

A few days ago I've received a bug report for the prosody package
which says that if an admin changes OpenSSL config file then
generating a selfsigned certificate may no longer work because it
requires filling a different set of fields, so simply sending 7 lines
to the stdin of openssl isn't sufficient (see [1]).

I've searched through the archive and found several packages which
suffer from the same bug (listing source packages):

boxbackup
dovecot
dtc-xen
ejabberd
netkit-telnet-ssl
openswan
prosody
rinputd
stone
strongswan
uw-imap
xmail
yaws

I see two ways of fixing this bug: either use -batch option which
means that the certificate will be without common name (this approach
is used in quassel), or supply an own OpenSSL config file along with
the postinst script (or generate it in the postinst script as it is
used in openvas-server).

Is there a more reasonable way to generate self-signed certificate
with common name (preferably without involving temporary OpenSSL
configs)? Or may be using such certificates is not a good idea at all
and it's better to disable SSL instead of giving selfsigned ones to
users?

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=596433

Cheers!
-- 
Sergei Golovan

Reply to:

Follow-Ups:
- Re: Generating SSL certificates in postinst
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#596511: ITP: simon -- Open source speech recognition
Next by Date: Re: Generating SSL certificates in postinst
Previous by thread: Re: Bug#596511: ITP: simon -- Open source speech recognition
Next by thread: Re: Generating SSL certificates in postinst
Index(es):
- Date
- Thread