Bug#772031: Please allow SSL cert and key to be read from different files
Hi, Am 06.11.2015 um 21:10 schrieb martin f krafft: > Having both the key and cert in one file could be considered a > feature. But since the two data have different security models, and > we do not have in-file differentiation (e.g. protect the key while > let people read the cert), using two files is the only sensible way. while I know that it's common practice to have the key in a different file with tighter security mode, I don't see any security advantage in it. I would make both files available read-only to the software in question only. The software, ejabberd in this case, needs access to both anyway. The only advantage with separate files I can think of is when a 3rd-party software wants/needs to access the public certificate, but then I would simply throw the public part into /etc/ssl/certs/. Anyway, I opened an issue with this feature request in the upstream bug tracker at https://github.com/processone/ejabberd/issues/826 . Anybody is welcome to send Pull-Requests for changes that implement this. Regards, -- .''`. Philipp Hübner: :' : pgp fp: 6719 25C5 B8CD E74A 5225 3DF9 E5CA 8C49 25E4 205F `. `'` Jabber: phil...@debalance.de, Skype: philipp-huebner `- We are the Power inside, we bring you Fantasy. We are the Kingdom of Light and Dreams, Gnosis and Life: Avantasia! signature.asc Description: OpenPGP digital signature
Bug#772031: Please allow SSL cert and key to be read from different files
Dear Philipp, On 07.11.2015 14:48, Philipp Hübner wrote: > Anyway, I opened an issue with this feature request in the upstream bug > tracker at https://github.com/processone/ejabberd/issues/826 . Many thanks! Greetings, Paul
Bug#772031: Please allow SSL cert and key to be read from different files
On 06.11.2015 13:03, Rhonda D'Vine wrote: > * Paul Muster[2015-11-04 21:21:39 CET]: >> It's especially _necessary_ to split key, cert and chain to different >> files to be able to use Let's Encrypt certificates. This mistakable wording has been clarified >4 hours before your e-mail. > Said that, that doesn't mean I object to ejabberd supporting seperated > files, but that's something for upstream to handle. Fine. Yes, of course, this is an upstream topic. Therefore I asked: >> Do you know if upstream already has an issue open for this (I >> cannot find one)? Greetings, Paul
Bug#772031: Please allow SSL cert and key to be read from different files
* Paul Muster[2015-11-04 21:21:39 CET]: > It's especially _necessary_ to split key, cert and chain to different > files to be able to use Let's Encrypt certificates. Hmm, the PEM format isn't that uncommon, shouldn't that (also) be turned into a feature request to Let's Encrypt? There for sure is more than just ejabberd using PEM format, I've seen and touched a fair amount of services over time that use that, so I rather see that as a limitation in Let's Encrypt. Given that the letsencrypt client is free software, that would be a useful approach. https://github.com/letsencrypt/letsencrypt is the repository, but my python is pretty limited to be able to provide a patch for that. Said that, that doesn't mean I object to ejabberd supporting seperated files, but that's something for upstream to handle. So long, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los|
Bug#772031: Please allow SSL cert and key to be read from different files
* Paul Muster[2015-11-06 13:50:28 CET]: > On 06.11.2015 13:03, Rhonda D'Vine wrote: > > * Paul Muster [2015-11-04 21:21:39 CET]: > > >> It's especially _necessary_ to split key, cert and chain to different > >> files to be able to use Let's Encrypt certificates. > > This mistakable wording has been clarified >4 hours before your e-mail. Well, yes and no. Your "clearification" didn't transport much new in that respect: | It's especially _necessary_ to split key, cert and chain to different | files to be able to use Let's Encrypt's certificate renewal machanism. I pointed out that Let's Encrypt's certificate renewal mechanism is free software and can (and should) be allowed to combine the different files. And even if not, wherever you hook in the renewal mechanism (cron script?) it should be fairly easy to add the cat into a single file after it. So reiterating and keep with that it's _necessary_ isn't true in that respect. > > Said that, that doesn't mean I object to ejabberd supporting seperated > > files, but that's something for upstream to handle. > > Fine. Yes, of course, this is an upstream topic. Therefore I asked: > > >> Do you know if upstream already has an issue open for this (I > >> cannot find one)? We are working on filing it upstream and will link it from the bugreport in case it ends up in a public place. Said that, the upstream bug tracker is at github and thus open to all github users to use: https://github.com/processone/ejabberd/issues So long, Rhonda -- Fühlst du dich mutlos, fass endlich Mut, los | Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang Fühlst du dich haltlos, such Halt und lass los|
Bug#772031: Please allow SSL cert and key to be read from different files
also sprach Rhonda D'Vine[2015-11-07 01:03 +1300]: > Hmm, the PEM format isn't that uncommon, shouldn't that (also) be > turned into a feature request to Let's Encrypt? There for sure is more > than just ejabberd using PEM format, I've seen and touched a fair amount > of services over time that use that, so I rather see that as a > limitation in Let's Encrypt. The issue of splitting certificates is independent of the PEM format. Having both the key and cert in one file could be considered a feature. But since the two data have different security models, and we do not have in-file differentiation (e.g. protect the key while let people read the cert), using two files is the only sensible way. -- .''`. martin f. krafft @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Bug#772031: Please allow SSL cert and key to be read from different files
On 04.11.2015 21:57, Holger Weiß wrote: > * Paul Muster[2015-11-04 21:21]: >> It's especially _necessary_ to split key, cert and chain to different >> files to be able to use Let's Encrypt certificates. > > I haven't played with Let's Encrypt yet, but I guess you could just run > > $ cat key.pem cert.pem chain.pem > ejabberd.pem > > after doing whatever has to be done to maintain their certificates, no? Yes, but this has to be done _every time_ the 'Let's Encrypt agent' updates the cert - a use case which should happen without admin's involvement. Better wording: It's especially _necessary_ to split key, cert and chain to different files to be able to use Let's Encrypt's certificate renewal machanism. Greetings, Paul smime.p7s Description: S/MIME Cryptographic Signature
Bug#772031: Please allow SSL cert and key to be read from different files
* Paul Muster[2015-11-04 21:21]: > It's especially _necessary_ to split key, cert and chain to different > files to be able to use Let's Encrypt certificates. I haven't played with Let's Encrypt yet, but I guess you could just run $ cat key.pem cert.pem chain.pem > ejabberd.pem after doing whatever has to be done to maintain their certificates, no?
Bug#772031: Please allow SSL cert and key to be read from different files
Dear Ejabberd-Team, On Thu, 4 Dec 2014 15:11:41 +0100 martin f krafft wrote: > Package: ejabberd > Version: 14.07-3 > Severity: wishlist > Tags: upstream > > SSL cert and key usually are not in the same file. The key usually > has tighter security. Please let me poit ejabberd to a separate > keyfile, not just the certfile, such that it then loads the key from > there. Is there any point one could assist you with on this bug? Do you know if upstream already has an issue open for this (I cannot find one)? It's especially _necessary_ to split key, cert and chain to different files to be able to use Let's Encrypt certificates. Thanks & Greetings, Paul
Bug#772031: Please allow SSL cert and key to be read from different files
also sprach Holger Weiß[2015-11-05 09:57 +1300]: > I haven't played with Let's Encrypt yet, but I guess you could just run > $ cat key.pem cert.pem chain.pem > ejabberd.pem > after doing whatever has to be done to maintain their certificates, no? Yes, of course, but that's an additional step that can be forgotten, and it's quite normal to have cert and key split between files, so I'd urge ejabberd to do the same… -- .''`. martin f. krafft @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Bug#772031: Please allow SSL cert and key to be read from different files
Package: ejabberd Version: 14.07-3 Severity: wishlist Tags: upstream SSL cert and key usually are not in the same file. The key usually has tighter security. Please let me poit ejabberd to a separate keyfile, not just the certfile, such that it then loads the key from there. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.17-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- .''`. martin f. krafft madduck@d.o @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)