Bug#904686: ssl-cert: RSA keylength is getting a bit short

Package: ssl-cert Version: 1.0.39 Severity: wishlist The current default keylength for the snakeoil cert is 2048 bits. However, these certs could now live for ten years (3650 days), which as I type this could be upto 2028. Various technical bodies are recently that for long-lived secrets, a

Bug#904684: ssl-cert: HostName length check is too small

Package: ssl-cert Version: 1.0.39 Severity: normal In the make_snakeoil() funtion, the code gets the FQDN of the system via a call to 'hostname -f'. Then it checks if this the FQDN is longer than 64 characters, and if it is, uses the short hostname. However, a FQDN can be up to 255 octets per

Bug#861185: ssl-cert: snakeoil certs need to have Subject Alternative Names

Package: ssl-cert Version: 1.0.35 Severity: important Newer web browsers (Chrome 58+, Firefox 48+) are requiring that Subject Alternative Names (SANs) be present in certificates, and are ignoring the Common Name (CN) field. The snakeoils certs generated by make-ssl-cert(8) currently do not put

Bug#832036: ssl-cert: no easy way to have make-ssl-cert use a subjectAltName

Package: ssl-cert Version: 1.0.35 Severity: wishlist The make-ssl-cert(8) utility has a bunch of things it can get from debconf: make-ssl-cert/vulnerable_prng: make-ssl-cert/altname: make-ssl-cert/hostname: make-ssl-cert/title: These are used in the ask_via_debconf() function. So it's

Bug#773815: Acknowledgement (ssl-cert in wheezy should default to SHA-2-based certs)

Has anyone had a chance to look at this and consider the changes to wheezy and/or squeeze-lts? -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive:

Bug#773815: ssl-cert in wheezy should default to SHA-2-based certs

Package: ssl-cert Version: 1.0.32 Severity: normal Version 1.0.35 in jessie/testing create snakeoil certs with SHA-256 as the hasing algorithm, but the version is wheezy still uses SHA-1. Given the change in policy of the major browsers (IE, FF, Chrome) to start marking SHA-1-based certs as

Bug#733255: ssl-cert: start creating SHA2-based certificates

Package: ssl-cert Version: 1.0.32 Severity: normal Dear Maintainer, Currently running make-ssl-cert creates self-signed (snake oil) certificates which use the Signature Algorithm sha1WithRSAEncryption. This has been fine for the last few years, but there are some recently changes that warrant

Bug#674142: fix for 2.2.16?

This bug is marked as done, but that's only the case for the wheezy package (2.2.22). I don't see new binaries for squeeze (2.2.16). Can you either add the patch to the squeeze package or add something to squeeze-backports? -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org

Bug#635271: please enable SSLEngine optional

Package: apache2 Version: 2.2.16-6+squeeze1 Severity: wishlist Recent versions of of Apache support RFC 2817, which allows HTTP software to 'upgrade' connections from non-encrypted to encrypted status; it is sometimes referred to StartTLS for HTTP. http://tools.ietf.org/html/rfc2817