Package: ssl-cert
Version: 1.0.14
Severity: important
Tags: patch
User: [EMAIL PROTECTED]
Usertags: ubuntu-patch origin-ubuntu hardy
make-ssl-cert currently uses 'hostname' to set the cn of the default snake
oil certificate. This results in a cn set to a relative hostname, not an
FQDN (which would be given by 'hostname -f'). This yields a suboptimal
certificate: OpenLDAP, for instance, will map 'localhost' to the fqdn when
verifying certificates, which will properly fail to match the relative
hostname in most cases, and there's also the issue that having a certificate
that only works with the relative hostname ensures that users will only
/connect/ using the relative hostname, opening a subtle attack vector in the
form of hostname collisions in the domain search list.
The attached patch implements this change in the most trivial fashion.
However, it's probably also reasonable to have the unqualified hostname as
an alternative name in the certificate for convenience; in that case, it
makes sense to add a subjectAlternativeName to the snakeoil cert as well,
including the value of $(hostname). If you prefer, I can look at
implementing this.
Incidentally, is this package actually maintained today? I notice that the
maintainer is listed as "Debian Apache Maintainers", and that none of the
uploaders listed have been active in Apache maintenance for some time...
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]
diff -Nru ssl-cert-1.0.14/debian/changelog ssl-cert-1.0.14/debian/changelog
--- ssl-cert-1.0.14/debian/changelog 2007-02-02 22:47:27.000000000 -0800
+++ ssl-cert-1.0.14/debian/changelog 2008-02-09 14:15:27.000000000 -0800
@@ -1,3 +1,13 @@
+ssl-cert (1.0.14-0.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Use 'hostname -f' for the snakeoil CN instead of 'hostname', since
+ relative hostnames are subject to namespace collisions that could be
+ exploited (and also because OpenLDAP doesn't care for them when
+ connecting to localhost).
+
+ -- Steve Langasek <[EMAIL PROTECTED]> Sat, 09 Feb 2008 22:13:25 +0000
+
ssl-cert (1.0.14) unstable; urgency=low
* Non-maintainer upload to fix pending l10n issues.
diff -Nru /tmp/jDzpFqLCPH/ssl-cert-1.0.14/make-ssl-cert /tmp/rrqcQpBL77/ssl-cert-1.0.14/make-ssl-cert
--- ssl-cert-1.0.14/make-ssl-cert 2006-05-18 05:02:20.000000000 -0700
+++ ssl-cert-1.0.14/make-ssl-cert 2008-02-09 14:15:45.000000000 -0800
@@ -56,7 +56,7 @@
LocalityName="Everywhere"
OrganisationName="OCOSA"
OUName="Office for Complication of Otherwise Simple Affairs"
- HostName="$(hostname)"
+ HostName="$(hostname -f)"
Email="[EMAIL PROTECTED]"
}
