[email protected] writes:
> Gentlemen, I have discovered WWWOFFLE is effectively equipped with a
> 'time bomb', that will put smaller devices (e.g., cellphones) out of
> business (once a year?), unless one knows how to reboot it into single
> user mode and disable /etc/init.d/wwwoffle... Quite a research feat as
> all one might see is a stuck splash screen on a smaller device.
>
> By the way, that is if in fact one ever gets it installed in the first
> place on smaller devices, with little entropy.
Can I enquire as to what this portable device is that you use WWWOFFLE
on?
> Luckily today I was using a larger device when it happened.
>
> Today booting stalled at
> Starting HTTP cache proxy server: wwwoffled
>
> After waiting a minute I started hitting control keys.
>
> Only ALT CRTL DEL worked: reboot.
>
> Then in single user mode, I removed wwwoffle from the boot sequence,
> and examined the logs.
>
> Mar 13 17:32:22 jidanni2 wwwoffled[2409]: The WWWOFFLE root CA certificate
> has expired; replacing it.
> Mar 13 17:32:22 jidanni2 wwwoffled[2409]: The WWWOFFLE root CA private key
> file 'certificates/root/root-key.pem' does not exist; creating it.
> Mar 13 17:32:22 jidanni2 wwwoffled[2409]: Creating private key, this may take
> a long time.
> Mar 13 17:33:25 jidanni2 shutdown[2410]: shutting down for system reboot
>
> Ah, so that is what it was doing. Wish I would have known.
I don't think that you can blame WWWOFFLE for not telling you what was
happening. There is a message from WWWOFFLE that does say just this
(as you have seen). Obviously it is up to the user or packager of the
program how much of the warning information is made available at boot
time.
> So, every time "the root CA certificate has expired; replacing it"
> wwwoffle causes a major outage not only for itself, but the whole
> system: on can only reboot.
Expiring security certificates is good practice and as I said in
yesterday's message GnuTLS originally had no option but to generate
certificates using high quality randomness.
> Can one disable the expiring of the certificate, or be allowed to bang
> on the keyboard to give it the entropy it wants?
>
> I don't see in mentioned in wwwoffle.conf.
How the random numbers are generated is outside of the control of
WWWOFFLE. Banging on the keyboard may or may not help.
> Can I set up anacron to fool it by touch(1)ing the certificate once a
> year?
>
> Maybe one should keep a few certificates handy and change a couple
> letters in them to fool wwwoffle?
No, the certificates cannot be tricked into expiring at a different
time. There are good security reasons that certificates are made not
to be tampered with.
If you want to change the expiration of the certificates then you need
a patch like this (use 10 years, not 1 year):
-------------------- patch for certificates.c --------------------
--- certificates.c 2009/03/13 19:02:10 1.33
+++ certificates.c 2009/03/14 19:11:24
@@ -1030,7 +1030,7 @@
if(err<0)
{PrintMessage(Warning,"Could not set the certificate activation time for
'%s' [%s].",errmsg_hostname,gnutls_strerror(err));return(11);}
- err=gnutls_x509_crt_set_expiration_time(crt,time(NULL)+365*24*3600);
+ err=gnutls_x509_crt_set_expiration_time(crt,time(NULL)+10*365*24*3600);
if(err<0)
{PrintMessage(Warning,"Could not set the certificate expiration time for
'%s' [%s].",errmsg_hostname,gnutls_strerror(err));return(12);}
-------------------- patch for certificates.c --------------------
> I admit I'd be happy using a pair of underware for the certificate.
> Can't there be some fallback mode? E.g., doomsday only if I attempt to
> browse a secure site.
The WWWOFFLE root certificate is needed for WWWOFFLE to operate as an
https server, not just for when visiting a secure site.
--
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop [email protected]
http://www.gedanken.demon.co.uk/
WWWOFFLE users page:
http://www.gedanken.demon.co.uk/wwwoffle/version-2.9/user.html
