|
|
|
|
|
|
| Author |
Message |
Jaldhar H. Vyas
*nix forums addict
Joined: 19 Feb 2005
Posts: 60
|
 Posted: Fri Jun 30, 2006 3:00 pm Post subject:
Using the SSL snakeoil certificate
|
|
|
Following up to myself with a proper subject line.
In bug #376146, Martin Pitt wrote:
| Quote: | In an effort to clean up the SSL certificate mess on Ubuntu servers, we
recently converted all our supported Server packages to make use of
the ssl-cert package instead of creating a package-specific
self-signed SSL certificate. This allows admins to easily replace the
certificate with a 'real' one without touching dozens of configuration
files, and also provides a consistent setup out of the box.
|
Is this is a good idea for Debian? I think it is but it doesn't make sense to
switch dovecot over unless all the other ssl-cert using packages also do it.
Is this possible in the etch timeframe?
--
Jaldhar H. Vyas <jaldhar@debian.org>
La Salle Debain - http://www.braincells.com/debian/
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
 |
James Westby
*nix forums addict
Joined: 16 Jan 2006
Posts: 51
|
| Posted: Fri Jun 30, 2006 3:20 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
On (30/06/06 10:51), Jaldhar H. Vyas wrote:
| Quote: | Following up to myself with a proper subject line.
In bug #376146, Martin Pitt wrote:
In an effort to clean up the SSL certificate mess on Ubuntu servers, we
recently converted all our supported Server packages to make use of
the ssl-cert package instead of creating a package-specific
self-signed SSL certificate. This allows admins to easily replace the
certificate with a 'real' one without touching dozens of configuration
files, and also provides a consistent setup out of the box.
Is this is a good idea for Debian?
|
I hadn't seen the package before and it looks pretty decent. I think it would
help get some consistency between all of the packages that have to create
certs. It could perhaps even be wrapped up in to a debhelper tool if it
is widespread enough.
| Quote: | I think it is but it doesn't make sense
to switch dovecot over unless all the other ssl-cert using packages also do
it. Is this possible in the etch timeframe?
|
I'm not sure, and maybe it's not the time to be trying to do this. Has
anyone got a suggestion for a way to find the list of packages that
generate a certificate in their postinst? That would help the decision.
James
--
James Westby
jw+debian@jameswestby.net
http://jameswestby.net/
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Brian May
*nix forums Guru Wannabe
Joined: 27 Feb 2005
Posts: 109
|
| Posted: Mon Jul 03, 2006 12:20 am Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
| Quote: | "Jaldhar" == Jaldhar H Vyas <jaldhar@debian.org> writes:
In an effort to clean up the SSL certificate mess on Ubuntu
servers, we recently converted all our supported Server
packages to make use of the ssl-cert package instead of
creating a package-specific self-signed SSL certificate. This
allows admins to easily replace the certificate with a 'real'
one without touching dozens of configuration files, and also
provides a consistent setup out of the box.
|
Jaldhar> Is this is a good idea for Debian? I think it is but it
Jaldhar> doesn't make sense to switch dovecot over unless all the
Jaldhar> other ssl-cert using packages also do it. Is this
Jaldhar> possible in the etch timeframe?
I would really like it - I find it tedious configuring SSL
certificates for each and every package, when they usually are the
same...
Having one copy reduces the chances of accidently storing a private
key somewhere with inappropriate permissions.
I don't expect such a system to implement virtual hosting without
system administrator intervention, but a naming convention for the files
that supports virtual hosts would be even better IMHO, e.g.:
/etc/.../$hostname/...
Where hostname is the name of the host identified by the
certificate. That way adding/removing other certificates is easy.
--
Brian May <bam@debian.org>
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Henrique de Moraes Holsch
*nix forums Guru
Joined: 21 Feb 2005
Posts: 541
|
| Posted: Mon Jul 03, 2006 12:50 am Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
On Mon, 03 Jul 2006, Brian May wrote:
| Quote: | I don't expect such a system to implement virtual hosting without
system administrator intervention, but a naming convention for the files
|
We must make this intervention easy, but other than that...
| Quote: | that supports virtual hosts would be even better IMHO, e.g.:
/etc/.../$hostname/...
Where hostname is the name of the host identified by the
certificate. That way adding/removing other certificates is easy.
|
I very much doubt it would be easy to get the many APPs to expand that
"$hostname"...
IMHO we will be best served by going simple on this one and providing a
boxed solution for single-certificate-per-host only.
The much safer and saner per-service-certificate-per-host will require
per-service configuration anyway...
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Petter Reinholdtsen
*nix forums Guru Wannabe
Joined: 20 Feb 2005
Posts: 188
|
| Posted: Mon Jul 03, 2006 9:40 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
[Jaldhar H. Vyas]
| Quote: | Is this is a good idea for Debian? I think it is but it doesn't make
sense to switch dovecot over unless all the other ssl-cert using
packages also do it. Is this possible in the etch timeframe?
|
Yes, it is a good idea to make the SSL certificate handling in Debian
packages more consistent. In Debian-Edu, we install and automatically
configure several services with SSL certiciates, like imap, ldap and
webmin, and it is a pain to handle all the ways SSL-certificates are
generated. :)
Friendly,
--
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
James Westby
*nix forums addict
Joined: 16 Jan 2006
Posts: 51
|
| Posted: Mon Jul 03, 2006 10:20 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
On (03/07/06 23:34), Petter Reinholdtsen wrote:
| Quote: |
[Jaldhar H. Vyas]
Is this is a good idea for Debian? I think it is but it doesn't make
sense to switch dovecot over unless all the other ssl-cert using
packages also do it. Is this possible in the etch timeframe?
Yes, it is a good idea to make the SSL certificate handling in Debian
packages more consistent. In Debian-Edu, we install and automatically
configure several services with SSL certiciates, like imap, ldap and
webmin, and it is a pain to handle all the ways SSL-certificates are
generated. :)
|
So, as this proposal seemed to provoke a response that was somewhere
between non-caring and enthusiastic I thought I would look in to the
possibility of doing this.
An estimate of the pacakages that generate a certificate in postinst
(lets hope there are none that include them in the package) I tried:
$ grep-available -FDepends openssl -sPackage -n | sort
apache-ssl
apache2-common
ca-certificates
courier-imap-ssl
courier-ssl
dovecot-common
dsniff
ejabberd
exim-tls
freeswan
ftpd-ssl
httping
ipopd
libapache-mod-ssl
libmultisync-plugin-syncml
nessusd
openoffice.org-core
partimage-server
python-pyopenssl
ssl-cert
ssleay
sslwrap
stone-ssl
stunnel
stunnel4
telnetd-ssl
tinyca
ultrapossum-tls
usermin
uw-imapd
webmin
which is a reasonable number (especially as some of these will be
false-posistives). So then to see how ssl-cert is actually used I
downloaded the source of apache2 and looked in
debian/apache2-common.postinst where I found
# Make self-signed certificate
#if [ ! -f /etc/apache2/ssl/apache.pem ]
#then
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf
# /etc/apache2/ssl/apache.pem
#fi
So looking in the changelog.debian I found the following
apache2 (2.0.48- unstable; urgency=low
* Disable ssl-cert until it sucks less. related to 230791 (closes: #231726)
-- Thom May <thom@debian.org> Mon, 2 Feb 2004 12:47:10 +0000
(that is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230791 and
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231726,
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ssl-cert is also
quite enlightening)
So, it seems the only packages in Debian that use ssl-cert don't
actually at the moment.
So it seems like ssl-cert needs some work before it can be used by more
packages. The maintainers of ssl-cert are the apache maintainers
themselves, so it doesn't look like they'll be sorting it out soon.
I am willing to work a bit on getting it in to shape, does anyone want
to volunteer to help out and then create patches for all the necessary
packages?
James
--
James Westby
jw+debian@jameswestby.net
http://jameswestby.net/
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Uwe A. P. Wuerdinger
*nix forums beginner
Joined: 14 Mar 2005
Posts: 6
|
| Posted: Tue Jul 04, 2006 6:20 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
James Westby schrieb:
| Quote: | On (03/07/06 23:34), Petter Reinholdtsen wrote:
[Jaldhar H. Vyas]
Is this is a good idea for Debian? I think it is but it doesn't make
sense to switch dovecot over unless all the other ssl-cert using
packages also do it. Is this possible in the etch timeframe?
Yes, it is a good idea to make the SSL certificate handling in Debian
packages more consistent. In Debian-Edu, we install and automatically
configure several services with SSL certiciates, like imap, ldap and
webmin, and it is a pain to handle all the ways SSL-certificates are
generated. :)
So, as this proposal seemed to provoke a response that was somewhere
between non-caring and enthusiastic I thought I would look in to the
possibility of doing this.
An estimate of the pacakages that generate a certificate in postinst
(lets hope there are none that include them in the package) I tried:
$ grep-available -FDepends openssl -sPackage -n | sort
apache-ssl
apache2-common
ca-certificates
courier-imap-ssl
courier-ssl
dovecot-common
dsniff
ejabberd
exim-tls
freeswan
ftpd-ssl
httping
ipopd
libapache-mod-ssl
libmultisync-plugin-syncml
nessusd
openoffice.org-core
partimage-server
python-pyopenssl
ssl-cert
ssleay
sslwrap
stone-ssl
stunnel
stunnel4
telnetd-ssl
tinyca
ultrapossum-tls
usermin
uw-imapd
webmin
|
Well there are a number of packages out there that can use X509 Certs
but don't do so now as per default for example lighttpd.
racoon seems to be missing as well but it doesn't look to be in good
shape (in testing) anyway.
I'd like to help but I'm not a DD.
greets Uwe
--
http://www.x-tec.de
http://www.highspeed-firewall.de
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Adam Borowski
*nix forums addict
Joined: 16 Mar 2005
Posts: 65
|
| Posted: Tue Jul 04, 2006 9:30 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
On Tue, Jul 04, 2006 at 02:38:30PM +0200, "Uwe A. P. Würdinger" wrote:
| Quote: | James Westby schrieb:
An estimate of the pacakages that generate a certificate in postinst
(lets hope there are none that include them in the package) I tried:
$ grep-available -FDepends openssl -sPackage -n | sort
Well there are a number of packages out there that can use X509 Certs
but don't do so now as per default for example lighttpd.
|
Toss pound into the list as well.
--
1KB // Microsoft corollary to Hanlon's razor:
// Never attribute to stupidity what can be
// adequately explained by malice.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Martin Schulze
*nix forums addict
Joined: 21 Feb 2005
Posts: 55
|
| Posted: Thu Jul 20, 2006 9:30 am Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
Jaldhar H. Vyas wrote:
| Quote: | In bug #376146, Martin Pitt wrote:
In an effort to clean up the SSL certificate mess on Ubuntu servers, we
recently converted all our supported Server packages to make use of
the ssl-cert package instead of creating a package-specific
self-signed SSL certificate. This allows admins to easily replace the
certificate with a 'real' one without touching dozens of configuration
files, and also provides a consistent setup out of the box.
Is this is a good idea for Debian? I think it is but it doesn't make sense
to switch dovecot over unless all the other ssl-cert using packages also do
it. Is this possible in the etch timeframe?
|
I believe that this is a good idea, however, I would like to propose a
slightly different approach.
At the moment, it seems that all applications use their own
certificates and maybe also create them upon installation or rather
configuration.
It may be useful to have a certificate for each service, but it may
also be useful to have one certificate for all services. This may be
discussible but needs to be decided by the local admin anyway. Hence,
we should try to make both ways easily implementable, especially if
the system is to be reviewed or redesigned.
Hence, I propose to stay with virtual per-service certificates, but to
link them to the common snakeoil certificate from ssl-certificates
during configuration and only if there is no other setting.
For example:
Dovecot uses </etc/ssl/certs/dovecot.pem>.
This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if
the above file or link does not exist during configuration of
dovecot.
That way, the admin can easily replace the symlink with a real
certificate if they want per-service certificates.
If, however, they want to have one real certificate for everything,
they can replace the snakeoil certificate like Martin Pitt proposed.
I would like to see some coordination between maintainers of packages
that use or create such certificates. It'll take a while to implement
this anyway, so if only a few packages start and others follow later,
that'd be an improvement anyway.
Regards,
Joey
--
Open source is important from a technical angle. -- Linus Torvalds
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Klaus Ethgen
*nix forums beginner
Joined: 12 Apr 2005
Posts: 30
|
| Posted: Thu Jul 20, 2006 3:30 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am Do den 20. Jul 2006 um 11:24 schrieb Martin Schulze:
| Quote: | [one cert for all services]
I believe that this is a good idea, however, I would like to propose a
slightly different approach.
At the moment, it seems that all applications use their own
certificates and maybe also create them upon installation or rather
configuration.
|
I like this idea mentioned above. Isn't it easy to ask the admin in
debconf for every service if he want separate certs or all linked
together?
| Quote: | Hence, I propose to stay with virtual per-service certificates, but to
link them to the common snakeoil certificate from ssl-certificates
during configuration and only if there is no other setting.
|
That would be another way.
Regards
Klaus Ethgen
- --
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iQEVAwUBRL+ftp+OKpjRpO3lAQJtJgf+M4e/D970JQZDTbUg00z4PTBVD0ts7Hex
XffYVpJt+dhQzXh2ljO/7vuqH2wxWvSuxevix4QSpAeJl9RpFceFsgMerpT7rqIv
lPzo+JljGeWQb02kNnRZE8aRhNjsesEBr6RIDwRnB8+zKgxzTKOqdH0pvi3iTkUB
39fBJ1v3NcYxc7DDwRWcG1Aw9I6yJgsMGexiQs0w/OZ9yY3aE8HQuyiaPhy7UnJr
FvJyO2Ddv4AOMXxVIf2PRpcGsbKf0y0mX30mVVL3FzW+qPPC8PBeM/iAnex+oZGL
wrWsdvzk3L93KMaS2EdgwW+k/0AnwPq6XNj+0XoWZJIuljHLr9xPJw==
=a/xx
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Martin Schulze
*nix forums addict
Joined: 21 Feb 2005
Posts: 55
|
| Posted: Thu Jul 20, 2006 3:40 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
(please copy debian-devel, feel free to bounce my mail there after
you've done so, for others to be able to comment as well).
Klaus Ethgen wrote:
| Quote: | Am Do den 20. Jul 2006 um 11:24 schrieb Martin Schulze:
[one cert for all services]
I believe that this is a good idea, however, I would like to propose a
slightly different approach.
At the moment, it seems that all applications use their own
certificates and maybe also create them upon installation or rather
configuration.
I like this idea mentioned above. Isn't it easy to ask the admin in
debconf for every service if he want separate certs or all linked
together?
|
No! Please don't introduce more questions that are not required for
packages to work properly. Debconf is not a general configuration
utility that should subsume all possible configurations. Instead it
should only ask what is required for the package to work properly in
a default environment.
If an admin wants to use different certs, they should be able to do
so easily, but it's not acceptable to ask everybodo whether to use
shared or singular certificates, or to create a cert, or to install
an already created and certified one, or, or, or...
Regards,
Joey
--
Open source is important from a technical angle. -- Linus Torvalds
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Milan P. Stanic
*nix forums beginner
Joined: 12 Jun 2005
Posts: 7
|
| Posted: Thu Jul 20, 2006 8:50 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
On Thu, Jul 20, 2006 at 11:24:34AM +0200, Martin Schulze wrote:
| Quote: | For example:
Dovecot uses </etc/ssl/certs/dovecot.pem>.
This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if
the above file or link does not exist during configuration of
dovecot.
That way, the admin can easily replace the symlink with a real
certificate if they want per-service certificates.
If, however, they want to have one real certificate for everything,
they can replace the snakeoil certificate like Martin Pitt proposed.
|
Sorry if I misunderstand something, but is it okay to call it snakeoil
if it is real certificate? I like to say that the symbolic links for
per-service certificate shouldn't point to something called snake-oil.
Just my opinion.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
tony mancill
*nix forums beginner
Joined: 07 Feb 2005
Posts: 5
|
| Posted: Thu Jul 20, 2006 9:40 pm Post subject:
Re: Using the SSL snakeoil certificate
|
|
|
On Thu, Jul 20, 2006 at 11:24:34AM +0200, Martin Schulze wrote:
| Quote: | Hence, I propose to stay with virtual per-service certificates, but to
link them to the common snakeoil certificate from ssl-certificates
during configuration and only if there is no other setting.
For example:
Dovecot uses </etc/ssl/certs/dovecot.pem>.
This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if
the above file or link does not exist during configuration of
dovecot.
That way, the admin can easily replace the symlink with a real
certificate if they want per-service certificates.
If, however, they want to have one real certificate for everything,
they can replace the snakeoil certificate like Martin Pitt proposed.
|
This would be a great improvement. I'd suggest one more level of
symlinks. Have the individual services symlink to
/etc/ssl/certs/ssl-cert-site.pem, which is then symlinked to
ssl-cert-snakeoil.pem. When/if the local admin installs an actual
site-wide certificate, updating the one ssl-cert-site.pem symlink will
update all of the individual services using the the site cert, and the
snakeoil cert is still available if you ever need to fail back to it.
tony
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Mon Dec 01, 2008 8:33 pm | All times are GMT
|
|
Loan | Libros recomendados | Synchronization fast and easy | Credit Counseling | Herbs
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
Distributions
»
Debian
»
devel
