Bug#863796: unblock: e2guardian/3.4.0.3-2

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Wed May 31 09:58:16 UTC 2017 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please consider unblocking not-yet-uploaded package e2guardian

Quite recently Google Chrome changed its policy regarding certificate
requirements. Certs without a subjectAltName field get now rejected.

In the e2guardian content filter system, there is support for filtering
SSL encrypted http traffic by decrypting, checking its content and then
re-encrypting SSL-encrypted content. Whereas some consider this as a
m-i-t-m attack, in some setups this makes good sense (e.g. in school
networks).

For re-encrypting the content, a self-signed set of certs gets used.
In previous versions, these certs lack the SAN field. With a patch
from upstream (that they backported to the 3.4 branch of e2guardian esp.
for Debian 9), this issue has now been fixed.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862855 for details.

unblock e2guardian/3.4.0.3-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -Nru e2guardian-3.4.0.3/debian/changelog e2guardian-3.4.0.3/debian/changelog
--- e2guardian-3.4.0.3/debian/changelog	2016-09-07 16:37:57.000000000 +0200
+++ e2guardian-3.4.0.3/debian/changelog	2017-05-31 11:45:41.000000000 +0200
@@ -1,3 +1,12 @@
+e2guardian (3.4.0.3-2) unstable; urgency=medium
+
+  * debian/patches:
+    + Add 0001_fix-certificate-bug-with-chrome-browser.patch. Make sure
+      self-created certificates contain a SAN (subjectAltName) field. (Closes:
+      #862855).
+
+ -- Mike Gabriel <mike.gabriel at das-netzwerkteam.de>  Wed, 31 May 2017 11:45:41 +0200
+
 e2guardian (3.4.0.3-1) unstable; urgency=medium
 
   * Initial release to Debian. (Closes: #836281).
diff -Nru e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch
--- e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch	1970-01-01 01:00:00.000000000 +0100
+++ e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch	2017-05-31 11:40:40.000000000 +0200
@@ -0,0 +1,69 @@
+From 0e2bbdea7b4433b75fb73f8e915dbe0e1095fed1 Mon Sep 17 00:00:00 2001
+From: Fredb <numsys at free.fr>
+Date: Wed, 31 May 2017 09:33:09 +0200
+Subject: [PATCH] Bug #216 (v3.4.0.3) Fix certificate bug with chrome browser
+
+---
+ src/CertificateAuthority.cpp | 24 +++++++++++++++++++++++-
+ src/CertificateAuthority.hpp |  1 +
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/src/CertificateAuthority.cpp b/src/CertificateAuthority.cpp
+index 6202002..4e03ded 100755
+--- a/src/CertificateAuthority.cpp
++++ b/src/CertificateAuthority.cpp
+@@ -118,7 +118,7 @@ bool CertificateAuthority::getSerial(const char *commonname, struct ca_serial *c
+     // added to generate different serial number than previous versions
+     //   needs to be added as an option
+     std::string sname(commonname );
+-    sname += "A";
++    sname += "B";
+ 
+ #ifdef DGDEBUG
+     std::cout << "Generating serial no for " << commonname << std::endl;
+@@ -390,6 +390,14 @@ X509 *CertificateAuthority::generateCertificate(const char *commonname, struct c
+         return NULL;
+     }
+ 
++{
++    String temp1 = "DNS:";
++    String temp2 = commonname;
++    temp1 = temp1 + temp2;
++    char    *value = (char*) temp1.toCharArray();
++if( !addExtension(newCert, NID_subject_alt_name, value))
++        log_ssl_errors("Error adding subjectAltName to the request", commonname);
++}
+     //sign it using the ca
+     ERR_clear_error();
+     if (!X509_sign(newCert, _caPrivKey, EVP_sha256())) {
+@@ -521,4 +529,18 @@ CertificateAuthority::~CertificateAuthority()
+     if (_caPrivKey) EVP_PKEY_free(_caPrivKey);
+     if (_certPrivKey) EVP_PKEY_free(_certPrivKey);
+ }
++
++bool CertificateAuthority::addExtension(X509 *cert, int nid, char *value)
++{
++    X509_EXTENSION *ex = NULL;
++    
++    ex = X509V3_EXT_conf_nid(NULL,NULL , nid, value);
++
++    int result = X509_add_ext(cert, ex, -1);
++
++    X509_EXTENSION_free(ex);
++
++    return (result > 0) ? true : false;
++}
++
+ #endif //__SSLMITM
+diff --git a/src/CertificateAuthority.hpp b/src/CertificateAuthority.hpp
+index 230932b..0aecf61 100755
+--- a/src/CertificateAuthority.hpp
++++ b/src/CertificateAuthority.hpp
+@@ -25,6 +25,7 @@ class CertificateAuthority
+     time_t _ca_end;
+     static int do_mkdir(const char *path, mode_t mode);
+     int mkpath(const char *path, mode_t mode);
++    bool addExtension(X509 *cert, int nid, char *value);
+ 
+     public:
+     CertificateAuthority(const char *caCert,
diff -Nru e2guardian-3.4.0.3/debian/patches/series e2guardian-3.4.0.3/debian/patches/series
--- e2guardian-3.4.0.3/debian/patches/series	2016-09-07 16:30:22.000000000 +0200
+++ e2guardian-3.4.0.3/debian/patches/series	2017-05-31 11:40:59.000000000 +0200
@@ -1,3 +1,4 @@
+0001_fix-certificate-bug-with-chrome-browser.patch
 1001_idem-potent-build.patch
 1002_fix-message-typos.patch
 2001_remove-w3c-badge.patch

More information about the Debian-edu-pkg-team mailing list