Re: server certificates/key pairs and CA directories

To: debian-devel@lists.debian.org, 790943@bugs.debian.org
Subject: Re: server certificates/key pairs and CA directories
From: Daniel Pocock <daniel@pocock.pro>
Date: Sun, 02 Aug 2015 10:50:26 +0200
Message-id: <[🔎] 55BDD9D2.3010603@pocock.pro>
In-reply-to: <loom.20150721T184836-923@post.gmane.org>
References: <55965143.1070103@pocock.pro> <loom.20150721T184836-923@post.gmane.org>


On 21/07/15 18:50, Thorsten Glaser wrote:
> Daniel Pocock <daniel <at> pocock.pro> writes:
> 
>> I looked at the package ssl-cert to try and understand and there I found
>> that it is using /etc/ssl/certs for server certs while other packages
> 
> Do NOT do that.
> 

I wasn't suggesting that was desirable, it is just what I observed.  As
mentioned, I had actually reported a but about it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790943

I agree that applications should check the CA constraint, but I feel it
increases the risk of administrative and programming errors when
everything is in a single directory.

> It’s causing trouble because some software (e.g. Gajim) reads all files
> under /etc/ssl/certs/ not just the hashed ones – presumably because
> OpenSSL 1.x changed the algorithm used for the hash, while GnuTLS
> keeps using the OpenSSL 0.x one (in MirBSD I just symlink them both).
> 
> My suggestion is:
> 
> /etc/ssl/private/foo.key  ← 0640 root:ssl-cert, secret key
> /etc/ssl/foo.cer ← 0644 root:ssl-cert, public key / certificate plus DH
> parameters
> /etc/ssl/foo.ca ← 0644 root:ssl-cert, certificate chain EXCLUDING root
> certificate
> 
> Then make sure to use the same “foo”.
>

Looking through various Debian boxes, I can't help noticing a range of
directories under /etc/ssl, e.g.


# ls -l /etc/ssl
total 60
drwxr-xr-x 2 root root     20480 Jun  6 18:57 certs
-rw-r--r-- 1 root root     10835 Mar 18  2013 openssl.cnf
drwx--x--- 2 root ssl-cert  4096 Jan 21  2014 private
drwxr-xr-x 2 root root      4096 Oct 20  2007 ssl.crl
drwxr-xr-x 2 root root      4096 Jul  1 18:49 ssl.crt
drwxr-xr-x 2 root root      4096 Jan 21  2014 ssl.csr
drwxr-xr-x 2 root root      4096 Jun  4 13:35 ssl.key
drwxr-xr-x 2 root root      4096 Oct 20  2007 ssl.prm

and on a more recent box:

# ls -l /etc/ssl
total 44
drwxr-xr-x 2 root root     24576 Jan 28  2015 certs
-rw-r--r-- 1 root root     10835 Jun 15  2014 openssl.cnf
drwx--x--- 2 root ssl-cert  4096 Jul 21  2014 private


Does anybody know which packages create or use the /etc/ssl/ssl.*
directories and was there any standard for using them?

The default permissions on /etc/ssl/ssl.key don't look great

Reply to:

Follow-Ups:
- Re: server certificates/key pairs and CA directories
  - From: Paul Wise <pabs@debian.org>
- Re: server certificates/key pairs and CA directories
  - From: Antti Järvinen <antti.jarvinen@katiska.org>

Prev by Date: Re: Ad-hoc survey of existing Debian git integration tools
Next by Date: certificate creation in postinst, potentially using letsencrypt script
Previous by thread: Re: interested in (co-)maintaining midori
Next by thread: Re: server certificates/key pairs and CA directories
Index(es):
- Date
- Thread