[Pkg-openssl-devel] Bug#642314: Bug#628780: Wrong hash link to cacert.org.pem and wron certificat hash handling at all

Loïc Minier lool at dooz.org
Wed Sep 21 13:49:06 UTC 2011 

        Hi

 The patch from Debian #628780 caused a regression with certificates
 using CRLF line-endings, which prompted me to take a look at the
 discussion here.  (Debian #642314 is the regression.)

 Outside of CRLF line-endings, there seems to be potential for more
 regressions in this patch:

a) link_hash_cert() only searches for "BEGIN CERTIFICATE", not for
   "BEGIN X509 CERTIFICATE" or "BEGIN TRUSTED CERTIFICATE" which are
   allowed in other parts of the file

b) this requires a tempdir with write permissions, which might be a
   problem for certain deployments calling c_rehash

c) this causes a lot of writes (each certificate is written to a
   tempfile which gets deleted); again, this might be a problem if some
   deployments run c_rehash on a large number of certificates

 I'm particularly worried about c) because the whole point of c_rehash
 is to speed up lookup when there is a large number of certificates
 (e.g. client certificates).  If there is a large number of
 certificates, then writing each of them to a tempfile is going to be
 time consuming.  If there are many certificates, one can also imagine
 that certificates are added/removed frequently, requiring frequent runs
 of c_rehash.

 The root problem here is really that the openssl command-line doesn't
 support multiple certificates in a single file, so why not fix that
 instead?  e.g. we could add a flag to x509 to output information about
 ALL certificates (it already has tons of other random options).  This
 would allow -fingerprint and -hash or even -text to be useful on files
 with multiple certificates.  Then ca-certificates would get updated to
 use this flag (which probably wouldn't be the default for
 backwards-compatibility reasons.)


 In my eyes, the drawbacks of the patch are quite bad; perhaps it would
 be a better idea to:
 * split cacert.org.crt in two files, one per certificate; this would
   also allow administrators to enable certificates selectively in
   /etc/ca-certificates.conf
 * document the limitation in openssl / ca-certificates that only the
   first certificate gets picked up
 * optionally, we could let ca-certificates or c_rehash fail (if some
   flag is set and) if multiple certificates are in a single file

    Cheers,
-- 
Loïc Minier

More information about the Pkg-openssl-devel mailing list