subject:"Bug#772031\: Please allow SSL cert and key to be read from different files"

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-07 Thread Philipp Hübner

Hi,

Am 06.11.2015 um 21:10 schrieb martin f krafft:
> Having both the key and cert in one file could be considered a
> feature. But since the two data have different security models, and
> we do not have in-file differentiation (e.g. protect the key while
> let people read the cert), using two files is the only sensible way.

while I know that it's common practice to have the key in a different
file with tighter security mode, I don't see any security advantage in
it. I would make both files available read-only to the software in
question only.

The software, ejabberd in this case, needs access to both anyway. The
only advantage with separate files I can think of is when a 3rd-party
software wants/needs to access the public certificate, but then I would
simply throw the public part into /etc/ssl/certs/.


Anyway, I opened an issue with this feature request in the upstream bug
tracker at https://github.com/processone/ejabberd/issues/826 .

Anybody is welcome to send Pull-Requests for changes that implement this.


Regards,
-- 
 .''`.   Philipp Hübner 
: :'  :  pgp fp: 6719 25C5 B8CD E74A 5225  3DF9 E5CA 8C49 25E4 205F
`. `'`   Jabber: phil...@debalance.de, Skype: philipp-huebner
  `-
 We are the Power inside, we bring you Fantasy.
 We are the Kingdom of Light and Dreams,
 Gnosis and Life: Avantasia!



signature.asc
Description: OpenPGP digital signature

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-07 Thread Paul Muster

Dear Philipp,

On 07.11.2015 14:48, Philipp Hübner wrote:

> Anyway, I opened an issue with this feature request in the upstream bug
> tracker at https://github.com/processone/ejabberd/issues/826 .

Many thanks!


Greetings,

Paul

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-06 Thread Paul Muster

On 06.11.2015 13:03, Rhonda D'Vine wrote:
> * Paul Muster  [2015-11-04 21:21:39 CET]:

>> It's especially _necessary_ to split key, cert and chain to different
>> files to be able to use Let's Encrypt certificates.

This mistakable wording has been clarified >4 hours before your e-mail.

>  Said that, that doesn't mean I object to ejabberd supporting seperated
> files, but that's something for upstream to handle.

Fine. Yes, of course, this is an upstream topic. Therefore I asked:

>> Do you know if upstream already has an issue open for this (I
>> cannot find one)?


Greetings,

Paul

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-06 Thread Rhonda D'Vine

* Paul Muster  [2015-11-04 21:21:39 CET]:
> It's especially _necessary_ to split key, cert and chain to different
> files to be able to use Let's Encrypt certificates.

 Hmm, the PEM format isn't that uncommon, shouldn't that (also) be
turned into a feature request to Let's Encrypt?  There for sure is more
than just ejabberd using PEM format, I've seen and touched a fair amount
of services over time that use that, so I rather see that as a
limitation in Let's Encrypt.

 Given that the letsencrypt client is free software, that would be a
useful approach. https://github.com/letsencrypt/letsencrypt is the
repository, but my python is pretty limited to be able to provide a
patch for that.

 Said that, that doesn't mean I object to ejabberd supporting seperated
files, but that's something for upstream to handle.

 So long,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-06 Thread Rhonda D'Vine

* Paul Muster  [2015-11-06 13:50:28 CET]:
> On 06.11.2015 13:03, Rhonda D'Vine wrote:
> > * Paul Muster  [2015-11-04 21:21:39 CET]:
> 
> >> It's especially _necessary_ to split key, cert and chain to different
> >> files to be able to use Let's Encrypt certificates.
> 
> This mistakable wording has been clarified >4 hours before your e-mail.

 Well, yes and no.  Your "clearification" didn't transport much new in
that respect:

| It's especially _necessary_ to split key, cert and chain to different
| files to be able to use Let's Encrypt's certificate renewal machanism.

 I pointed out that Let's Encrypt's certificate renewal mechanism is
free software and can (and should) be allowed to combine the different
files.  And even if not, wherever you hook in the renewal mechanism
(cron script?) it should be fairly easy to add the cat into a single
file after it.  So reiterating and keep with that it's _necessary_ isn't
true in that respect.

> >  Said that, that doesn't mean I object to ejabberd supporting seperated
> > files, but that's something for upstream to handle.
> 
> Fine. Yes, of course, this is an upstream topic. Therefore I asked:
> 
> >> Do you know if upstream already has an issue open for this (I
> >> cannot find one)?

 We are working on filing it upstream and will link it from the
bugreport in case it ends up in a public place.  Said that, the upstream
bug tracker is at github and thus open to all github users to use:
https://github.com/processone/ejabberd/issues

 So long,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-06 Thread martin f krafft

also sprach Rhonda D'Vine  [2015-11-07 01:03 +1300]:
>  Hmm, the PEM format isn't that uncommon, shouldn't that (also) be
> turned into a feature request to Let's Encrypt?  There for sure is more
> than just ejabberd using PEM format, I've seen and touched a fair amount
> of services over time that use that, so I rather see that as a
> limitation in Let's Encrypt.

The issue of splitting certificates is independent of the PEM
format.

Having both the key and cert in one file could be considered
a feature. But since the two data have different security models,
and we do not have in-file differentiation (e.g. protect the key
while let people read the cert), using two files is the only
sensible way.

-- 
 .''`.   martin f. krafft  @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-05 Thread Paul Muster

On 04.11.2015 21:57, Holger Weiß wrote:
> * Paul Muster  [2015-11-04 21:21]:

>> It's especially _necessary_ to split key, cert and chain to different
>> files to be able to use Let's Encrypt certificates.
> 
> I haven't played with Let's Encrypt yet, but I guess you could just run
> 
> $ cat key.pem cert.pem chain.pem > ejabberd.pem
> 
> after doing whatever has to be done to maintain their certificates, no?

Yes, but this has to be done _every time_ the 'Let's Encrypt agent'
updates the cert - a use case which should happen without admin's
involvement.

Better wording:
It's especially _necessary_ to split key, cert and chain to different
files to be able to use Let's Encrypt's certificate renewal machanism.

Greetings,

Paul

smime.p7s
Description: S/MIME Cryptographic Signature

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-04 Thread Holger Weiß

* Paul Muster  [2015-11-04 21:21]:
> It's especially _necessary_ to split key, cert and chain to different
> files to be able to use Let's Encrypt certificates.

I haven't played with Let's Encrypt yet, but I guess you could just run

$ cat key.pem cert.pem chain.pem > ejabberd.pem

after doing whatever has to be done to maintain their certificates, no?

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-04 Thread Paul Muster

Dear Ejabberd-Team,

On Thu, 4 Dec 2014 15:11:41 +0100 martin f krafft wrote:
> Package: ejabberd
> Version: 14.07-3
> Severity: wishlist
> Tags: upstream
> 
> SSL cert and key usually are not in the same file. The key usually
> has tighter security. Please let me poit ejabberd to a separate
> keyfile, not just the certfile, such that it then loads the key from
> there.

Is there any point one could assist you with on this bug?

Do you know if upstream already has an issue open for this (I cannot
find one)?

It's especially _necessary_ to split key, cert and chain to different
files to be able to use Let's Encrypt certificates.

Thanks & Greetings,

Paul

Bug#772031: Please allow SSL cert and key to be read from different files

2015-11-04 Thread martin f krafft

also sprach Holger Weiß  [2015-11-05 09:57 +1300]:
> I haven't played with Let's Encrypt yet, but I guess you could just run
> $ cat key.pem cert.pem chain.pem > ejabberd.pem
> after doing whatever has to be done to maintain their certificates, no?

Yes, of course, but that's an additional step that can be forgotten,
and it's quite normal to have cert and key split between files, so
I'd urge ejabberd to do the same…

-- 
 .''`.   martin f. krafft  @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Bug#772031: Please allow SSL cert and key to be read from different files

2014-12-04 Thread martin f krafft

Package: ejabberd
Version: 14.07-3
Severity: wishlist
Tags: upstream

SSL cert and key usually are not in the same file. The key usually
has tighter security. Please let me poit ejabberd to a separate
keyfile, not just the certfile, such that it then loads the key from
there.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.17-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
 .''`.   martin f. krafft madduck@d.o @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

Bug#772031: Please allow SSL cert and key to be read from different files

11 matches

Site Navigation

Mail list logo

Footer information