--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: e2guardian/3.4.0.3-2
- From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Date: Wed, 31 May 2017 11:58:16 +0200
- Message-id: <149622469660.3376.12862219592586122447.reportbug@minobo.das-netzwerkteam.de>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please consider unblocking not-yet-uploaded package e2guardian
Quite recently Google Chrome changed its policy regarding certificate
requirements. Certs without a subjectAltName field get now rejected.
In the e2guardian content filter system, there is support for filtering
SSL encrypted http traffic by decrypting, checking its content and then
re-encrypting SSL-encrypted content. Whereas some consider this as a
m-i-t-m attack, in some setups this makes good sense (e.g. in school
networks).
For re-encrypting the content, a self-signed set of certs gets used.
In previous versions, these certs lack the SAN field. With a patch
from upstream (that they backported to the 3.4 branch of e2guardian esp.
for Debian 9), this issue has now been fixed.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862855 for details.
unblock e2guardian/3.4.0.3-2
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru e2guardian-3.4.0.3/debian/changelog e2guardian-3.4.0.3/debian/changelog
--- e2guardian-3.4.0.3/debian/changelog 2016-09-07 16:37:57.000000000 +0200
+++ e2guardian-3.4.0.3/debian/changelog 2017-05-31 11:45:41.000000000 +0200
@@ -1,3 +1,12 @@
+e2guardian (3.4.0.3-2) unstable; urgency=medium
+
+ * debian/patches:
+ + Add 0001_fix-certificate-bug-with-chrome-browser.patch. Make sure
+ self-created certificates contain a SAN (subjectAltName) field. (Closes:
+ #862855).
+
+ -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Wed, 31 May 2017 11:45:41 +0200
+
e2guardian (3.4.0.3-1) unstable; urgency=medium
* Initial release to Debian. (Closes: #836281).
diff -Nru e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch
--- e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch 1970-01-01 01:00:00.000000000 +0100
+++ e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch 2017-05-31 11:40:40.000000000 +0200
@@ -0,0 +1,69 @@
+From 0e2bbdea7b4433b75fb73f8e915dbe0e1095fed1 Mon Sep 17 00:00:00 2001
+From: Fredb <numsys@free.fr>
+Date: Wed, 31 May 2017 09:33:09 +0200
+Subject: [PATCH] Bug #216 (v3.4.0.3) Fix certificate bug with chrome browser
+
+---
+ src/CertificateAuthority.cpp | 24 +++++++++++++++++++++++-
+ src/CertificateAuthority.hpp | 1 +
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/src/CertificateAuthority.cpp b/src/CertificateAuthority.cpp
+index 6202002..4e03ded 100755
+--- a/src/CertificateAuthority.cpp
++++ b/src/CertificateAuthority.cpp
+@@ -118,7 +118,7 @@ bool CertificateAuthority::getSerial(const char *commonname, struct ca_serial *c
+ // added to generate different serial number than previous versions
+ // needs to be added as an option
+ std::string sname(commonname );
+- sname += "A";
++ sname += "B";
+
+ #ifdef DGDEBUG
+ std::cout << "Generating serial no for " << commonname << std::endl;
+@@ -390,6 +390,14 @@ X509 *CertificateAuthority::generateCertificate(const char *commonname, struct c
+ return NULL;
+ }
+
++{
++ String temp1 = "DNS:";
++ String temp2 = commonname;
++ temp1 = temp1 + temp2;
++ char *value = (char*) temp1.toCharArray();
++if( !addExtension(newCert, NID_subject_alt_name, value))
++ log_ssl_errors("Error adding subjectAltName to the request", commonname);
++}
+ //sign it using the ca
+ ERR_clear_error();
+ if (!X509_sign(newCert, _caPrivKey, EVP_sha256())) {
+@@ -521,4 +529,18 @@ CertificateAuthority::~CertificateAuthority()
+ if (_caPrivKey) EVP_PKEY_free(_caPrivKey);
+ if (_certPrivKey) EVP_PKEY_free(_certPrivKey);
+ }
++
++bool CertificateAuthority::addExtension(X509 *cert, int nid, char *value)
++{
++ X509_EXTENSION *ex = NULL;
++
++ ex = X509V3_EXT_conf_nid(NULL,NULL , nid, value);
++
++ int result = X509_add_ext(cert, ex, -1);
++
++ X509_EXTENSION_free(ex);
++
++ return (result > 0) ? true : false;
++}
++
+ #endif //__SSLMITM
+diff --git a/src/CertificateAuthority.hpp b/src/CertificateAuthority.hpp
+index 230932b..0aecf61 100755
+--- a/src/CertificateAuthority.hpp
++++ b/src/CertificateAuthority.hpp
+@@ -25,6 +25,7 @@ class CertificateAuthority
+ time_t _ca_end;
+ static int do_mkdir(const char *path, mode_t mode);
+ int mkpath(const char *path, mode_t mode);
++ bool addExtension(X509 *cert, int nid, char *value);
+
+ public:
+ CertificateAuthority(const char *caCert,
diff -Nru e2guardian-3.4.0.3/debian/patches/series e2guardian-3.4.0.3/debian/patches/series
--- e2guardian-3.4.0.3/debian/patches/series 2016-09-07 16:30:22.000000000 +0200
+++ e2guardian-3.4.0.3/debian/patches/series 2017-05-31 11:40:59.000000000 +0200
@@ -1,3 +1,4 @@
+0001_fix-certificate-bug-with-chrome-browser.patch
1001_idem-potent-build.patch
1002_fix-message-typos.patch
2001_remove-w3c-badge.patch
--- End Message ---