Re: server certificates/key pairs and CA directories
On 21/07/15 18:50, Thorsten Glaser wrote:
> Daniel Pocock <daniel <at> pocock.pro> writes:
>
>> I looked at the package ssl-cert to try and understand and there I found
>> that it is using /etc/ssl/certs for server certs while other packages
>
> Do NOT do that.
>
I wasn't suggesting that was desirable, it is just what I observed. As
mentioned, I had actually reported a but about it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790943
I agree that applications should check the CA constraint, but I feel it
increases the risk of administrative and programming errors when
everything is in a single directory.
> It’s causing trouble because some software (e.g. Gajim) reads all files
> under /etc/ssl/certs/ not just the hashed ones – presumably because
> OpenSSL 1.x changed the algorithm used for the hash, while GnuTLS
> keeps using the OpenSSL 0.x one (in MirBSD I just symlink them both).
>
> My suggestion is:
>
> /etc/ssl/private/foo.key ← 0640 root:ssl-cert, secret key
> /etc/ssl/foo.cer ← 0644 root:ssl-cert, public key / certificate plus DH
> parameters
> /etc/ssl/foo.ca ← 0644 root:ssl-cert, certificate chain EXCLUDING root
> certificate
>
> Then make sure to use the same “foo”.
>
Looking through various Debian boxes, I can't help noticing a range of
directories under /etc/ssl, e.g.
# ls -l /etc/ssl
total 60
drwxr-xr-x 2 root root 20480 Jun 6 18:57 certs
-rw-r--r-- 1 root root 10835 Mar 18 2013 openssl.cnf
drwx--x--- 2 root ssl-cert 4096 Jan 21 2014 private
drwxr-xr-x 2 root root 4096 Oct 20 2007 ssl.crl
drwxr-xr-x 2 root root 4096 Jul 1 18:49 ssl.crt
drwxr-xr-x 2 root root 4096 Jan 21 2014 ssl.csr
drwxr-xr-x 2 root root 4096 Jun 4 13:35 ssl.key
drwxr-xr-x 2 root root 4096 Oct 20 2007 ssl.prm
and on a more recent box:
# ls -l /etc/ssl
total 44
drwxr-xr-x 2 root root 24576 Jan 28 2015 certs
-rw-r--r-- 1 root root 10835 Jun 15 2014 openssl.cnf
drwx--x--- 2 root ssl-cert 4096 Jul 21 2014 private
Does anybody know which packages create or use the /etc/ssl/ssl.*
directories and was there any standard for using them?
The default permissions on /etc/ssl/ssl.key don't look great
Reply to: