Hi The patch from Debian #628780 caused a regression with certificates using CRLF line-endings, which prompted me to take a look at the discussion here. (Debian #642314 is the regression.)
Outside of CRLF line-endings, there seems to be potential for more regressions in this patch: a) link_hash_cert() only searches for "BEGIN CERTIFICATE", not for "BEGIN X509 CERTIFICATE" or "BEGIN TRUSTED CERTIFICATE" which are allowed in other parts of the file b) this requires a tempdir with write permissions, which might be a problem for certain deployments calling c_rehash c) this causes a lot of writes (each certificate is written to a tempfile which gets deleted); again, this might be a problem if some deployments run c_rehash on a large number of certificates I'm particularly worried about c) because the whole point of c_rehash is to speed up lookup when there is a large number of certificates (e.g. client certificates). If there is a large number of certificates, then writing each of them to a tempfile is going to be time consuming. If there are many certificates, one can also imagine that certificates are added/removed frequently, requiring frequent runs of c_rehash. The root problem here is really that the openssl command-line doesn't support multiple certificates in a single file, so why not fix that instead? e.g. we could add a flag to x509 to output information about ALL certificates (it already has tons of other random options). This would allow -fingerprint and -hash or even -text to be useful on files with multiple certificates. Then ca-certificates would get updated to use this flag (which probably wouldn't be the default for backwards-compatibility reasons.) In my eyes, the drawbacks of the patch are quite bad; perhaps it would be a better idea to: * split cacert.org.crt in two files, one per certificate; this would also allow administrators to enable certificates selectively in /etc/ca-certificates.conf * document the limitation in openssl / ca-certificates that only the first certificate gets picked up * optionally, we could let ca-certificates or c_rehash fail (if some flag is set and) if multiple certificates are in a single file Cheers, -- Loïc Minier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org