Bug#790943: Root and local certificate location clash
You made a very good investigation on the topic. I agree that a public cert shouldn't be placed into the same folder as CA certs. There is some mention of a weird bug https://serverfault.com/a/840191/442430 Instead I think that both private key and cert should be merged into a one file and placed into /etc/ssl/private/. It looks like there were a lot of discussions but we didn't come to a single agreement about the place to store certs and how to manage them. Please read my proposition here https://github.com/certbot/certbot/issues/1425#issuecomment-1150116062 I'll appreciate any feedback. Regards, Sergey Ponomarev, stokito.com
Bug#790943: Root and local certificate location clash
I just came across this while configuring the CA certs for some software. It would be really nice if this security issue were fixed at some point. In the meantime, it looks like /etc/ssl/certs/ca-certificates.crt doesn't have the snake oil certificate (at least on my systems) even though /etc/ssl/cert does have symlinks to it. So I think it might be a reasonable workaround to point software at the single file instead of the directory?
Bug#790943: Root and local certificate location clash
severity 790943 normal thanks On Friday 03 July 2015 10:56:54, Daniel Pocock wrote: > I've marked this bug serious because it could lead to security > problems if people mix root certs and other certs in the same > directory The certificates generated by make-ssl-cert all have "X509v3 Basic Constraints: CA:FALSE". Any program that accepts such certificates as trusted root certificate already has a serious security problem. Therefore I don't think the policy of make-ssl-cert to put certs into /etc/ssl/certs creates additional security issues. I am downgrading the bug accordingly. I am not really against putting server and ca certificate into separate directories. But some Debian-wide default would be nice, of course. Maybe we can discuss that at Debconf? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#790943: Root and local certificate location clash
On Fri, 03 Jul 2015 10:56:54 +0200 Daniel Pocock wrote: > Some other packages refer to /etc/ssl/certs as a directory of trusted > roots. E.g. according to this page: https://wiki.debian.org/ServicesSSL > the whole directory was trusted by wget in wheezy but not in jessie. You have misunderstood the wiki page. The change for wget in jessie is that it now ignores non-CA certs in /etc/ssl/certs for verification purposes, whereas in wheezy you could also put individual service certs there too and avoid relying on the SSL mafia. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#790943: Root and local certificate location clash
Package: ssl-cert Version: 1.0.35 Severity: serious I've marked this bug serious because it could lead to security problems if people mix root certs and other certs in the same directory This package provides the script /usr/sbin/make-ssl-cert It creates certificates and puts the public key / certificate PEM file in /etc/ssl/certs The ca-certificates package puts symlinks to CA certificates in the same location, /etc/ssl/certs Some other packages refer to /etc/ssl/certs as a directory of trusted roots. E.g. according to this page: https://wiki.debian.org/ServicesSSL the whole directory was trusted by wget in wheezy but not in jessie. Some people suggest using /etc/ssl/ssl.crt or /etc/ssl/public for local certificate files. I did a Google search to try and find out of there is a policy about this directory and no results were found. So I can't say that this package is violating any specific policy or what should be done to fix it, but I do feel the status quo is troublesome. Should local certs go in some other directory, or should other packages stop trusting everything in /etc/ssl/certs? If it is the latter, then maybe some QA check is needed to evaluate how many packages refer to that location. I came across these pages relating to the topic: https://wiki.debian.org/Cryptography https://wiki.debian.org/X.509 https://wiki.debian.org/SslCertificateHandling https://wiki.debian.org/ServicesSSL In RHEL 7, I notice they have: /etc/pki/tls/certs (local server certs) /etc/pki/tls/private (private keys) and there is no directory with a collection of root certs, just a couple of root bundles with all certs in the same file: /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt The Fedora docs are here: https://fedoraproject.org/wiki/Features/SharedSystemCertificates -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org