Package: ssl-cert Version: 1.0.35 Severity: serious I've marked this bug serious because it could lead to security problems if people mix root certs and other certs in the same directory
This package provides the script /usr/sbin/make-ssl-cert It creates certificates and puts the public key / certificate PEM file in /etc/ssl/certs The ca-certificates package puts symlinks to CA certificates in the same location, /etc/ssl/certs Some other packages refer to /etc/ssl/certs as a directory of trusted roots. E.g. according to this page: https://wiki.debian.org/ServicesSSL the whole directory was trusted by wget in wheezy but not in jessie. Some people suggest using /etc/ssl/ssl.crt or /etc/ssl/public for local certificate files. I did a Google search to try and find out of there is a policy about this directory and no results were found. So I can't say that this package is violating any specific policy or what should be done to fix it, but I do feel the status quo is troublesome. Should local certs go in some other directory, or should other packages stop trusting everything in /etc/ssl/certs? If it is the latter, then maybe some QA check is needed to evaluate how many packages refer to that location. I came across these pages relating to the topic: https://wiki.debian.org/Cryptography https://wiki.debian.org/X.509 https://wiki.debian.org/SslCertificateHandling https://wiki.debian.org/ServicesSSL In RHEL 7, I notice they have: /etc/pki/tls/certs (local server certs) /etc/pki/tls/private (private keys) and there is no directory with a collection of root certs, just a couple of root bundles with all certs in the same file: /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt The Fedora docs are here: https://fedoraproject.org/wiki/Features/SharedSystemCertificates -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org