Bug#464930: ssl-cert: please use 'hostname -f' in /usr/sbin/make-ssl-cert

Package: ssl-cert
Version: 1.0.14
Severity: important
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: ubuntu-patch origin-ubuntu hardy

make-ssl-cert currently uses 'hostname' to set the cn of the default snake oil certificate. This results in a cn set to a relative hostname, not an FQDN (which would be given by 'hostname -f'). This yields a suboptimal certificate: OpenLDAP, for instance, will map 'localhost' to the fqdn when verifying certificates, which will properly fail to match the relative hostname in most cases, and there's also the issue that having a certificate that only works with the relative hostname ensures that users will only /connect/ using the relative hostname, opening a subtle attack vector in the form of hostname collisions in the domain search list.

The attached patch implements this change in the most trivial fashion. However, it's probably also reasonable to have the unqualified hostname as an alternative name in the certificate for convenience; in that case, it makes sense to add a subjectAlternativeName to the snakeoil cert as well, including the value of $(hostname). If you prefer, I can look at implementing this.

Incidentally, is this package actually maintained today? I notice that the maintainer is listed as "Debian Apache Maintainers", and that none of the uploaders listed have been active in Apache maintenance for some time...

Cheers,

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    
http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

-- To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org