Bug#619746: gnutls-bin: [certtool] include useless data when creating a CSR

Luca Capello luca at pca.it
Sat Mar 26 18:15:18 UTC 2011


Hi there!

On Sat, 26 Mar 2011 18:57:26 +0100, Luca Capello wrote:
> Indeed, the output certtool now displays when creating a CSR seems to me
> a template, albeit it includes the CSR at the end.
>
> This is a big regression WRT to security and I do not share Simon's view
> about putting password on files and protect them with restricted file
> modes: by default, no password of any kind should be written on a file.
>
> IMHO Severity: should be more than important, but neither the definition
> of serious nor the one of grave seemed to fit what I just wrote above.

Now that I fully tested the CSR generation (sorry, my fault for not
having done this before), I am even more scared:
=====
luca at gismo:~$ #certtool --generate-request \
 --load-privkey pca.it.key --outfile gallery.pca.it.csr

luca at gismo:~$ ls -la ~/ | grep .ssl
drwx------  4 luca luca       4096 Dec 10 00:10 .ssl

luca at gismo:~$ ls -la ~/.ssl | grep private
drwx------  2 luca luca  4096 Mar 26 19:01 private

luca at gismo:~$ ls -la ~/.ssl/private/ | grep gallery
-rw-r--r-- 1 luca luca 4067 Mar 26 19:02 gallery.pca.it.csr
=====

If certtool must continue including "useless" informations in the CSR
output, at least it must create the output file with restricted file
mode.

Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110326/548990ac/attachment.pgp>


More information about the Pkg-gnutls-maint mailing list