Package: telnetd-ssl Version: 0.17.24+0.1-7.1 Severity: important
postsinst script of telnetd-ssl package contains call to openssl req command to generate temporary self-signed certificate. It invokes openssl with its default configuration file (without specifying something else with -config command line option) and simulates user input by passing some responses to stdin of this command. But number and order of the questions which openssl req asks during certificate signing request generation can be altered in the OpenSSL configuration file. So, if user changed something in the [ req_distinguished_name ] or [ req_attributes ] sections of /etc/ssl/openssl.conf, postinst script might fail with very cryptic diagnostics. I've had to run postinst script manually using sh -x to find cause of problem. Better solution is to generate temporary config file with all certificate info filled in from postinst script and then run openssl req in non-interactive mode (with -batch and -config switches). As intermediate fix script can check whether /etc/ssl/telnetd.pem was actually generated, and if not so, display error message telling user "Certificate generation failed, probably due to non-standard OpenSSL configuration. Please create telnetd.pem file manually and then reconfigure package" And if telnetd.pem exists, script have to check (and may be fix) its permissions and rehash it. Moreover, script uses incorrect command to create symlink to the certificate based on its hash value. ln -sf telnetd.pem `openssl x509 -noout -hash < telnetd.pem`.0 Really OpenSSL adds .0 .1 etc suffixes to these links to avoid clash if there exists other certificate with same hash value. This command fpricbliy uses .0 suffix which might conflict with other CA certificate, and make it unaccessable by OpenSSL. Better to use c_rehash utility from OpenSSL package or Debian update-ca-certificates script -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.16-athlon Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages telnetd-ssl depends on: ii adduser 3.63 Add and remove users and groups ii base-files 3.1.2 Debian base system miscellaneous f ii dpkg 1.10.28 Package maintenance system for Deb ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an ii libncurses5 5.4-4 Shared libraries for terminal hand ii libssl0.9.8 0.9.8b-1 SSL shared libraries ii netbase 4.21 Basic TCP/IP networking system ii openssl 0.9.8b-1 Secure Socket Layer (SSL) binary a ii passwd 1:4.0.3-31sarge5 change and administer password and -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
