[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
** Changed in: ca-certificates (Debian) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
** Changed in: ca-certificates (Debian) Status: New = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
** Changed in: ca-certificates (Debian) Status: Unknown = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
Should be fixed by Loïc's recent change: openssl (1.0.0e-2ubuntu2) oneiric; urgency=low * Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially *multiple* certificates rather than exactly one. LP: #855454. -- Loïc Minier loic.min...@ubuntu.com Tue, 27 Sep 2011 18:13:07 +0200 ** Changed in: openssl (Ubuntu Oneiric) Status: Triaged = Fix Released ** Changed in: openssl (Ubuntu Oneiric) Assignee: Colin Watson (cjwatson) = Loïc Minier (lool) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
While this wont happen with current ca-certificates, I think we should revert the changes which caused this bug: in Debian's 20110421 QA upload, a c_rehash call was added to postinst for upgrades from versions = 20090814+nmu3, this was an attempt to rebuild the symlinks in /etc/ssl/certs, but because update-ca-certificates wasn't removing /etc/ssl/cert/ca-certificates.crt, it did generate one symlink to this file for the first certificate. With the Debian change from openssl 1.0.0e-1 to support multiple certificates in one file, this probably took even worse proportions. However this probably depended on the order in which c_rehash processed files; it just does readdir() and generates links for the first certificate of each .pem and .crt file it finds. Now in 20110502+nmu1ubuntu1/20110502+nmu1ubuntu2, a call was added to properly regenerate the links, but kept the plain c_rehash call *after* it in the postinst, so that it might trigger when upgrading from = 20090814+nmu3 (so upgrades from natty or lucid will cause this). Because of the new call I've added in20110502+nmu1ubuntu4 to regenerates certs when upgrading from = 20110502+nmu1ubuntu4, this should be fixed for oneiric users. Now, what needs to be fixed: * plain c_rehash is wrong in any case; also an issue in Debian (and the rm needs to be copied there too) * postinst has tons of update-ca-certificates calls, mine is the strongest one as it affects all updates (from natty); all of these should be dropped after oneiric Now this could be fixed in oneiric + 1, but it would be clearer to remove these now to prevent any regression when removing the postinst snippets (e.g. leaving the plain c_rehash call alone after oneiric would be wrong). ** Changed in: ca-certificates (Ubuntu Oneiric) Status: Fix Released = Triaged ** Changed in: ca-certificates (Ubuntu Oneiric) Milestone: ubuntu-11.10-beta-2 = None ** Changed in: ca-certificates (Ubuntu Oneiric) Assignee: Steve Langasek (vorlon) = Loïc Minier (lool) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
I've sent a patch to Debian including Steve's changes to remove ca- certificates.crt before running c_rehash in update-ca-certificates; will set bug id once I have it. ** Changed in: ca-certificates (Ubuntu Oneiric) Status: Triaged = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
This bug was fixed in the package ca-certificates - 20110502+nmu1ubuntu5 --- ca-certificates (20110502+nmu1ubuntu5) oneiric; urgency=low * Tweak postinst to not run update-ca-certificates multiple times and remove dangerous plain c_rehash snippet; LP: #854927. -- Loic Minier loic.min...@ubuntu.com Wed, 28 Sep 2011 15:49:34 +0200 ** Changed in: ca-certificates (Ubuntu Oneiric) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
** Bug watch added: Debian Bug tracker #643667 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643667 ** Changed in: ca-certificates (Debian) Importance: Undecided = Unknown ** Changed in: ca-certificates (Debian) Status: New = Unknown ** Changed in: ca-certificates (Debian) Remote watch: None = Debian Bug tracker #643667 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
** Also affects: ca-certificates (Debian) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
Is this really the entirety of the bug? With the new openssl but the old ca-certificates, I ran: $ sudo update-ca-certificates --fresh ... $ ls -l /usr/lib/ssl/certs/55a10908.0 lrwxrwxrwx 1 root root 19 2011-09-21 13:27 /usr/lib/ssl/certs/55a10908.0 - ca-certificates.crt $ curl -sS http://launchpad.net !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title301 Moved Permanently/title /headbody h1Moved Permanently/h1 pThe document has moved a href=https://launchpad.net/;here/a./p hr addressApache/2.2.14 (Ubuntu) Server at launchpad.net Port 80/address /body/html What am I missing? While we could certainly change c_rehash to make sure it always prefers .pem files over .crt (and that might be preferable anyway), I wonder why libssl is unable to deal with the .crt files ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
What exactly are you trying to show Colin? You're connecting to http... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
Whoops, I'm also unwell today and not thinking clearly. But in any case HTTPS works too: $ wget https://www.google.com --2011-09-21 14:52:14-- https://www.google.com/ Resolving www.google.com... 209.85.147.147, 209.85.147.99, 209.85.147.103, ... Connecting to www.google.com|209.85.147.147|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://encrypted.google.com/ [following] --2011-09-21 14:52:14-- https://encrypted.google.com/ Resolving encrypted.google.com... 209.85.147.100, 209.85.147.101, 209.85.147.102, ... Connecting to encrypted.google.com|209.85.147.100|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: `index.html' [ = ] 11,434 --.-K/s in 0.07s 2011-09-21 14:52:15 (165 KB/s) - `index.html' saved [11434] $ curl -sS https://launchpad.net !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; [...] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
This bug was fixed in the package ca-certificates - 20110502+nmu1ubuntu2 --- ca-certificates (20110502+nmu1ubuntu2) oneiric; urgency=low * Really only call --fresh on upgrade, instead of all the time; thanks to Adam Conrad for catching this in the queue. ca-certificates (20110502+nmu1ubuntu1) oneiric; urgency=low * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of the way before calling c_rehash, so that symlinks don't accidentally get pointed here, breaking openssl certificate verification. LP: #854927. * debian/postinst: kludge in support for running update-ca-certificates --fresh on upgrade, to ensure we fix up the hash for anyone who happened to install from a daily. -- Steve Langasek steve.langa...@ubuntu.com Tue, 20 Sep 2011 12:49:57 -0700 ** Changed in: ca-certificates (Ubuntu Oneiric) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
Following up on the irc comment that Steve Langasek pasted, I can confirm that reverting the patch http://bazaar.launchpad.net/~ubuntu- branches/ubuntu/oneiric/openssl/oneiric/revision/58#debian/patches /c_rehash-multi.patch followed by update-ca-certificates --fresh (without the workaround Steve added) also corrects the hashing/verification issue. However, it does seem like the c_rehash patch is correcting undesirable behavior on its part. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/854927 Title: c_rehash creating bogus links to ca-certificates.crt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs