make-ssl-cert creates improper hash symlink to ssl-cert-snakeoil.pem

Bug #1324897 reported by Cedric Gustin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ssl-cert (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Steps to reproduce :

   1. Generate new snakeoil SSL certificates with 'sudo make-ssl-cert generate-default-snakeoil --force-overwrite'
   2. Get hash of new certificate with 'openssl x509 -hash -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem', say fd1e9cf4
   3. Check that fd1e9cf4.0 symlink to ssl-cert-snakeoil.pem was created in /etc/ssl/certs

Problem :

   - fd1e9cf4 symlink is created instead of fd1e9cf4.0 (with .0 extension)
   - if you're lucky, hash has not changed and you still have the old fd1e9cf4.0 symlink.
   - if you're unlucky (random seed has changed or you choose a different keysize), hash will change, wrong symlink will be created and certification validation will fail for example when using TLS with postfix :

     postfix/smtpd[3828]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1260:SSLalert number 48

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ssl-cert - 1.1.0

---------------
ssl-cert (1.1.0) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Remove obsolete openssl-blacklist suggests.
  * Add some autopkgtests. LP: #1679405
  * Create correct hash symlink. LP: #1324897
  * Automatically re-create the default snakeoil certificate if its key
    length is below 2048 bits or if the signature algorithm is not sha256.
    Closes: #924881

  [ Bryce Harrington ]
  * Refactor make-ssl-cert a bit, add usage message.
  * Add --expiration-days option. LP: #1853021

 -- Stefan Fritsch <email address hidden> Mon, 28 Dec 2020 15:20:52 +0100

Changed in ssl-cert (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.