Your message dated Fri, 28 Apr 2017 21:06:02 +0000 with message-id <[email protected]> and subject line Bug#861185: fixed in ssl-cert 1.0.39 has caused the Debian Bug report #861185, regarding ssl-cert: snakeoil certs need to have Subject Alternative Names to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 861185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861185 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ssl-cert Version: 1.0.35 Severity: important Newer web browsers (Chrome 58+, Firefox 48+) are requiring that Subject Alternative Names (SANs) be present in certificates, and are ignoring the Common Name (CN) field. The snakeoils certs generated by make-ssl-cert(8) currently do not put the SAN fields in by default (one has to use a custom tempalte). This can be fixed by first tweaking the default ssleay.cnf file, and appending the following to the end: [...] [ v3_req ] basicConstraints = CA:FALSE # New content below: subjectAltName = @alt_names [alt_names] DNS.1 = @HostName@ The invocation of sed(1) in create_temporary_cnf() will then make sure that @HostName@ will be replaced in both the CN and SAN. The create_temporary_cnf() function also needs to be changed as there is now the possibly of two SAN fields, so each needs to be unique: [ -z "$AltName" ] || echo "DNS.2=$AltName" >> $TMPFILE The numbers don't actually matter (i.e., we could use DNS.314), as long as they are unique. Ideally these changes should be go into Debian 9, as browsers are using this new behaviour right now, so we want to make sure that new installs use new way of doing things for better compaibility for the life of stretch. -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ssl-cert depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.56 ii openssl 1.0.1t-1+deb8u5 ssl-cert recommends no packages. Versions of packages ssl-cert suggests: pn openssl-blacklist <none> -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: ssl-cert Source-Version: 1.0.39 We believe that the bug you reported is fixed in the latest version of ssl-cert, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch <[email protected]> (supplier of updated ssl-cert package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 28 Apr 2017 21:58:22 +0200 Source: ssl-cert Binary: ssl-cert Architecture: source all Version: 1.0.39 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers <[email protected]> Changed-By: Stefan Fritsch <[email protected]> Description: ssl-cert - simple debconf wrapper for OpenSSL Closes: 861185 Changes: ssl-cert (1.0.39) unstable; urgency=medium . * Always put the common name also in the SubjectAltName. This is required to make newer web browsers happy. Closes: #861185 The wording in the debconf questions will be adjusted later, to avoid having to fix so many translation shortly before the release. Checksums-Sha1: 445d7714a879c54547ba50b91ddb86b0557d00d0 1644 ssl-cert_1.0.39.dsc bb446eac7c72a4aca95b6358e44b169a43fd8db9 26080 ssl-cert_1.0.39.tar.xz 912b077399b9b6b2fc70f15b46a7054f809b4900 20836 ssl-cert_1.0.39_all.deb 0e0b94f7284db33d9404c7a81999ba24d8c86fde 5633 ssl-cert_1.0.39_amd64.buildinfo Checksums-Sha256: 260b6260b477c82c942491fc81c6442e43b4893dfc29e26088cad04e08a521c8 1644 ssl-cert_1.0.39.dsc 1265a1941169ea7bb192162e311303999fbdc5f3041338957630d942f872f7bf 26080 ssl-cert_1.0.39.tar.xz 57e66b30d0d7db7a70518b34fa1787e10f8210b327e2a39f147ee3dbf41ace85 20836 ssl-cert_1.0.39_all.deb b8941d948401e0095ca6508fba7b244dfb0e6106bee95e0b099a909a479bac53 5633 ssl-cert_1.0.39_amd64.buildinfo Files: 7c0444cf26853833a3a7ee0ba5eb5026 1644 utils optional ssl-cert_1.0.39.dsc 86bcf9aa90c29b711523f1d925f78685 26080 utils optional ssl-cert_1.0.39.tar.xz 3a8da7f47c33423162f1f6e86e6b1f83 20836 utils optional ssl-cert_1.0.39_all.deb 789a0529d9b7f8b769bd2320d44434e8 5633 utils optional ssl-cert_1.0.39_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlkDoXcACgkQxodfNUHO /eAkwA/7B6m6w99ZKwF+KHCYvR/CAsLOMIyTWJ//lrIUnsYzMTbmSHTinDBt8L8J IlhuDoxa3d80C/ABfA7XV/+dgDH+ysueCATaqvXPbQuyqkuJcrxJ+9e/02T4/r4m sJEoUtM2dSM2UPnfxQ1FsEd7Sfpz8LvfOB+C36bTjUSXUPiDb5GVYRB44ixekDYi hks0miPWx7yDhEqNd1uGapCXCzim1av2YACFu8Tt0fSvh0BlsVlw5lJvNnguvuHq vIQXW7hM6mWFULZJeRSZPKobmaPsxKc2kFrXnPtkMZCsnv9vnwPUHRsNoLpBZG+c c6OEIhyMqWDf94Z1kQbpIS84sx8yFozjPNN7qvzIvq1IwAoq2j1igq1dwdJ4GFgj QFtogoshiXNSFALKPcZUG3rB0Vpun9p19geAEbmjzD+90ZuLnPagUy+329hQcBUV WZjmI0Crc55R4n+GL1Ssv+8he1WTp2rj0vLbNWhzwd2InCM7jrRy2bxyH7vNY4KQ JfxvwQ3m4Xc8jr/aJL0xdKy9qVeJ4AZMeBww8s3/+XMWqkLla0/nN3jnvqN/epMy inWKzgT10nt9LVIZKm7qJfbPdOPu11TfJUgQ1qolyKio4j/KTroY+RQEOfxDJz0N G79tavSVvw0g98BiyoJD52TOa7F80jysMZJn7pdVTRkfAkZrT4Q= =OVnD -----END PGP SIGNATURE-----
--- End Message ---
