Package: ssl-cert Version: 1.0.35 Severity: important Newer web browsers (Chrome 58+, Firefox 48+) are requiring that Subject Alternative Names (SANs) be present in certificates, and are ignoring the Common Name (CN) field.
The snakeoils certs generated by make-ssl-cert(8) currently do not put the SAN fields in by default (one has to use a custom tempalte). This can be fixed by first tweaking the default ssleay.cnf file, and appending the following to the end: [...] [ v3_req ] basicConstraints = CA:FALSE # New content below: subjectAltName = @alt_names [alt_names] DNS.1 = @HostName@ The invocation of sed(1) in create_temporary_cnf() will then make sure that @HostName@ will be replaced in both the CN and SAN. The create_temporary_cnf() function also needs to be changed as there is now the possibly of two SAN fields, so each needs to be unique: [ -z "$AltName" ] || echo "DNS.2=$AltName" >> $TMPFILE The numbers don't actually matter (i.e., we could use DNS.314), as long as they are unique. Ideally these changes should be go into Debian 9, as browsers are using this new behaviour right now, so we want to make sure that new installs use new way of doing things for better compaibility for the life of stretch. -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ssl-cert depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.56 ii openssl 1.0.1t-1+deb8u5 ssl-cert recommends no packages. Versions of packages ssl-cert suggests: pn openssl-blacklist <none> -- debconf information excluded