Hi DSA, all, As weasel discovered after updating the soon-to-expire *.debian.org SSL certificates, our config and software is somewhat suboptimal wrt SSL. /etc/ca-certificates.conf on some hosts trust some CAs but should not and that isn't configured by puppet nor consistent between hosts. We would like to fix that by doing this: /etc/ca-certificates.conf should contain distrust entries for all certificates installed in the ca-certificates package. debian.org systems should only trust certificates generated by us by default. /etc/ssl/certs should contain only certificates for debian.org services. This is for all software that accepts service certs in /etc/ssl/certs, some software like curl does not and only checks for CAs in there. /etc/ssl/ca-certs-debian should contain only CA certificates that have signed current debian.org service certificates. This is for software that doesn't check service certificates in /etc/ssl/certs. Services using such software will need to be reconfigured. We should file bugs on these so that they get fixed at some point. /etc/ssl/ca-certs-world should contain all CA certificates that are trusted by default in the ca-certificates package. This would be used for tools/services that need to verify certs for external services. Examples are the QA vcswatch service and the RTC service, which currently use manually setup versions of this. The last two above would also get cert bundles in these paths for software that requires bundles instead of dirs. /etc/ssl/ca-certs-debian/ca-certificates.crt /etc/ssl/ca-certs-world/ca-certificates.crt We can choose different paths for the debian/world stuff of course. Any comments, questions? -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part