Package: gnutls-bin Version: 2.10.5-1 Severity: important Hi there!
I was creating a Certificate Signing Request with certtool and then I discovered that the output file contains more than the CSR, even worse it contains the password asked during the creation. I could not find any reason for that, nor the manpage contains any hint about how to output the CSR alone. However, I found #522281: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522281#10> On Thu, 11 Jun 2009 11:14:29 +0200, Simon Josefsson wrote: > Matthew King <matthew.k...@monnsta.net> writes: >> If you attempt to use a pkcs8 private key with a template file, and that >> template file does not specify the passphrase, certtool exits with an >> error: >> >> certtool: importing --load-privkey: ca-key.pem: Decryption has failed. >> >> I am not sure which is worse - putting the passphrase in the template >> file or asking questions in batch mode, but the patch to allow the >> latter is simple: [...] > I believe an error message in this situation is reasonable: the reason > for the template mode is to avoid interactive questions. It would be > wrong to ask questions for missing data in a template. > > Specifying a password in a template file is a security concern, but > other files on Unix systems contains passwords and private keys so it is > a well understood problem. It is possible to protect these files using > a restricted file mode. Indeed, the output certtool now displays when creating a CSR seems to me a template, albeit it includes the CSR at the end. This is a big regression WRT to security and I do not share Simon's view about putting password on files and protect them with restricted file modes: by default, no password of any kind should be written on a file. IMHO Severity: should be more than important, but neither the definition of serious nor the one of grave seemed to fit what I just wrote above. Thx, bye, Gismo / Luca -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnutls-bin depends on: ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib ii libgcrypt11 1.4.6-5 LGPL Crypto library - runtime libr ii libgnutls26 2.10.5-1 the GNU TLS library - runtime libr ii libreadline6 6.1-3 GNU readline and history libraries ii libtasn1-3 2.9-2 Manage ASN.1 structures (runtime) ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime gnutls-bin recommends no packages. gnutls-bin suggests no packages. -- no debconf information
pgpTSCySCbaPE.pgp
Description: PGP signature
