Bug#619746: gnutls-bin: [certtool] include useless data when creating a CSR
Luca Capello
luca at pca.it
Sat Mar 26 18:15:18 UTC 2011
Hi there!
On Sat, 26 Mar 2011 18:57:26 +0100, Luca Capello wrote:
> Indeed, the output certtool now displays when creating a CSR seems to me
> a template, albeit it includes the CSR at the end.
>
> This is a big regression WRT to security and I do not share Simon's view
> about putting password on files and protect them with restricted file
> modes: by default, no password of any kind should be written on a file.
>
> IMHO Severity: should be more than important, but neither the definition
> of serious nor the one of grave seemed to fit what I just wrote above.
Now that I fully tested the CSR generation (sorry, my fault for not
having done this before), I am even more scared:
=====
luca at gismo:~$ #certtool --generate-request \
--load-privkey pca.it.key --outfile gallery.pca.it.csr
luca at gismo:~$ ls -la ~/ | grep .ssl
drwx------ 4 luca luca 4096 Dec 10 00:10 .ssl
luca at gismo:~$ ls -la ~/.ssl | grep private
drwx------ 2 luca luca 4096 Mar 26 19:01 private
luca at gismo:~$ ls -la ~/.ssl/private/ | grep gallery
-rw-r--r-- 1 luca luca 4067 Mar 26 19:02 gallery.pca.it.csr
=====
If certtool must continue including "useless" informations in the CSR
output, at least it must create the output file with restricted file
mode.
Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110326/548990ac/attachment.pgp>
More information about the Pkg-gnutls-maint
mailing list