Control: tags -1 +confirmed +upstream
Control: forcemerge 865649 -1
Hi Henrich, and thank you for your bugreport,
Le mercredi, 24 mai 2017, 18.26:11 h CEST Heinrich Schuchardt a écrit :
> the cups webserver on port 631 supports the https protocol.
>
> When browsing cups using the https protocol a certificate/key pair is
> created in /etc/cups/ssl.
>
> $ openssl x509 -in /etc/cups/ssl/hostname.crt -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1495639838 (0x5925a71E)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C = US, CN = hostname, O = hostname, OU = Unknown, ST =
> (…)
>
> Using SHA-1 as signature algorithm is unsafe.
> This algorithm will not be accepted in future browser versions.
That's very much a problem yes, but upstream is aware of the problem. See
https://github.com/apple/cups/issues/4876 for a somewhat recent discussion
about this.
> I have no clue why the country is set to US. That is not where my system is.
> Please, remove this bogus when fixing the SHA-1 issue.
http://sources.debian.net/src/cups/2.2.4-3/cups/tls-gnutls.c/#L151 is where
this happens; the country code is guessed from the end of your locale setting.
But all that is vain; we're talking about a self-signed certificate, which is
not trusted (nor trustable nowadays) in modern browsers.
Finally, from a Debian maintenance point of view, I'm not going to diverge
from upstream code on crypto.
Cheers,
OdyXAttachment:
signature.asc
Description: This is a digitally signed message part.