On Tue, 21 Aug 2007, Natanael Copa wrote: > Hi, > > I use the gentoo framework to build binary packages. I noticed that most > packages creates the ssl certificate during src_install(). This makes > all binary packages contain the ssl certs which is a security threat.
Hi, If you are really concerned by security, then you do not want to use such automatically-generated certificates. They generally contains fake CN names (e.g. "CN=localhost") and they are not expected in a PKI environment: they can't be checked nor trusted. You will generate your own certificates with your own root CA, your own CRL and your own policy. > > The net-nds/openldap package has understood this and calls docert from > pkg_postinst() and even includes this comment: > > # You cannot build SSL certificates during src_install that will make > # binary packages containing your SSL key, which is both a security > risk > # and a misconfiguration if multiple machines use the same key and > cert. i guess openldap generates self-signed certificates with generic CN names, and this problem is not solved this way. Cheers, -- Raphael Marichez aka Falco Gentoo/Security
pgpFMUZAbAj3h.pgp
Description: PGP signature
