[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
This bug was fixed in the package ssl-cert - 1.1.0 --- ssl-cert (1.1.0) unstable; urgency=medium [ Stefan Fritsch ] * Remove obsolete openssl-blacklist suggests. * Add some autopkgtests. LP: #1679405 * Create correct hash symlink. LP: #1324897 * Automatically re-create the default snakeoil certificate if its key length is below 2048 bits or if the signature algorithm is not sha256. Closes: #924881 [ Bryce Harrington ] * Refactor make-ssl-cert a bit, add usage message. * Add --expiration-days option. LP: #1853021 -- Stefan Fritsch Mon, 28 Dec 2020 15:20:52 +0100 ** Changed in: ssl-cert (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
The link at [1] does not talk about self-signed certificates at all, only about DV and OV certificates. I agree that make-ssl-cert should have an option for the life time of the generated certificate, but I don't think that 825 days should be the default for 'generate-default- snakeoil'. If you have an official certificate, you don't have to do anything on the clients to make it trusted, but for a self-signed certificate, you have to distribute the certificate manually. Having to do this every 2.5 years seems excessive. [1] https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/ssl-cert/+git/ssl-cert/+merge/393784 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
** Description changed: - The CA/Browser Forum now has a standard with maximum expiration of 825 - days. + [Impact] + The CA/Browser Forum now has a standard with maximum expiration of 825 days. `ssl-cert generate-default-snakeoil` hardcodes this to 10 years (3650 days), but provides no mechanism for setting this to alternative values, such as 825. + + [Test Case] + $ openssl x509 -enddate -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem + notAfter=Dec 15 04:21:19 2029 GMT + $ sudo rm /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key + $ make-ssl-cert --expiration-days=10 generate-default-snakeoil + notAfter=Nov 24 04:21:43 2020 GMT + + [Where Problems Could Occur] + The fix for this bug includes a new implementation of option handling, so the most likely place to watch for issues would be options that no longer work or behave differently. However, the script previously supported only a small number of ways to be executed so is simple to just test all the combinations. + + The purpose of the script itself is to create certificates, so another + obvious thing to watch would be invalidly generated certificates. + + [Original Report] + The CA/Browser Forum now has a standard with maximum expiration of 825 days. References: https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/ https://www.sslshopper.com/cab-forum-reduces-max-cert-validity-to-825-days.html https://support.apple.com/en-us/HT210176 Related previous issue when changed from 30-days to 10-years: "ssl-cert generate-default-snakeoil provides no way to override default 30 day expiration" https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/253512 """ The openssl req command requires a -days argument to override the default number of days (30) for validity of self-signed certifiicates. 30 days seems an unreasonably low default. I have found no way to change this without fiddling with /usr/sbin/make-ssl-cert and adding "-days 365" (for example) to the relevant command line. """ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
** Changed in: ssl-cert (Ubuntu) Status: New => Triaged ** Changed in: ssl-cert (Ubuntu) Importance: Undecided => Wishlist ** Tags added: bitesize ** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
If I understand correctly, the needed fix here is to modify /usr/sbin /make-ssl-cert to add a --expiration-days=N option that passes the value to the -days arg in the last invocation of `openssl req`, maybe similar to what I've sketched in the attached (completely untested) patch? ** Patch added: "make-ssl-cert.patch" https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+attachment/5306766/+files/make-ssl-cert.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
** Description changed: The CA/Browser Forum now has a standard with maximum expiration of 825 days. References: https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/ https://www.sslshopper.com/cab-forum-reduces-max-cert-validity-to-825-days.html https://support.apple.com/en-us/HT210176 Related previous issue when changed from 30-days to 10-years: "ssl-cert generate-default-snakeoil provides no way to override default 30 day expiration" https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/253512 + + """ + The openssl req command requires a -days argument to override the default number of days (30) for validity of self-signed certifiicates. 30 days seems an unreasonably low default. I have found no way to change this without fiddling with /usr/sbin/make-ssl-cert and adding "-days 365" (for example) to the relevant command line. + """ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853021] Re: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
** Summary changed: - ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration + ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853021 Title: ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1853021/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs