On 21/07/15 18:50, Thorsten Glaser wrote: > Daniel Pocock <daniel <at> pocock.pro> writes: > >> I looked at the package ssl-cert to try and understand and there I found >> that it is using /etc/ssl/certs for server certs while other packages > > Do NOT do that. >
I wasn't suggesting that was desirable, it is just what I observed. As mentioned, I had actually reported a but about it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790943 I agree that applications should check the CA constraint, but I feel it increases the risk of administrative and programming errors when everything is in a single directory. > It’s causing trouble because some software (e.g. Gajim) reads all files > under /etc/ssl/certs/ not just the hashed ones – presumably because > OpenSSL 1.x changed the algorithm used for the hash, while GnuTLS > keeps using the OpenSSL 0.x one (in MirBSD I just symlink them both). > > My suggestion is: > > /etc/ssl/private/foo.key ← 0640 root:ssl-cert, secret key > /etc/ssl/foo.cer ← 0644 root:ssl-cert, public key / certificate plus DH > parameters > /etc/ssl/foo.ca ← 0644 root:ssl-cert, certificate chain EXCLUDING root > certificate > > Then make sure to use the same “foo”. > Looking through various Debian boxes, I can't help noticing a range of directories under /etc/ssl, e.g. # ls -l /etc/ssl total 60 drwxr-xr-x 2 root root 20480 Jun 6 18:57 certs -rw-r--r-- 1 root root 10835 Mar 18 2013 openssl.cnf drwx--x--- 2 root ssl-cert 4096 Jan 21 2014 private drwxr-xr-x 2 root root 4096 Oct 20 2007 ssl.crl drwxr-xr-x 2 root root 4096 Jul 1 18:49 ssl.crt drwxr-xr-x 2 root root 4096 Jan 21 2014 ssl.csr drwxr-xr-x 2 root root 4096 Jun 4 13:35 ssl.key drwxr-xr-x 2 root root 4096 Oct 20 2007 ssl.prm and on a more recent box: # ls -l /etc/ssl total 44 drwxr-xr-x 2 root root 24576 Jan 28 2015 certs -rw-r--r-- 1 root root 10835 Jun 15 2014 openssl.cnf drwx--x--- 2 root ssl-cert 4096 Jul 21 2014 private Does anybody know which packages create or use the /etc/ssl/ssl.* directories and was there any standard for using them? The default permissions on /etc/ssl/ssl.key don't look great -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55bdd9d2.3010...@pocock.pro
