[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

changes to SSL config on debian.org hosts?

Hi DSA, all,

As weasel discovered after updating the soon-to-expire *.debian.org SSL
certificates, our config and software is somewhat suboptimal wrt SSL.

/etc/ca-certificates.conf on some hosts trust some CAs but should not
and that isn't configured by puppet nor consistent between hosts.

We would like to fix that by doing this:

/etc/ca-certificates.conf should contain distrust entries for all
certificates installed in the ca-certificates package. debian.org
systems should only trust certificates generated by us by default.

/etc/ssl/certs should contain only certificates for debian.org services.
This is for all software that accepts service certs in /etc/ssl/certs,
some software like curl does not and only checks for CAs in there.

/etc/ssl/ca-certs-debian should contain only CA certificates that have
signed current debian.org service certificates. This is for software
that doesn't check service certificates in /etc/ssl/certs. Services
using such software will need to be reconfigured. We should file bugs on
these so that they get fixed at some point.

/etc/ssl/ca-certs-world should contain all CA certificates that are
trusted by default in the ca-certificates package. This would be used
for tools/services that need to verify certs for external services.
Examples are the QA vcswatch service and the RTC service, which
currently use manually setup versions of this.

The last two above would also get cert bundles in these paths for
software that requires bundles instead of dirs.


We can choose different paths for the debian/world stuff of course.

Any comments, questions?



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: