On 11/04/2012 06:18 PM, Michael Shuler wrote: > If we attempt to leave cacert.org.pem around, we disrupt the hashes to > the individual files. The openssl maintainers wish us to go back to the > split files, so they can remove a faulty patch. I'll need to touch base > with this, when I get some additional time.
I rebuilt openssl_1.0.1c-4 without c_rehash-multi.patch for some testing. The concatenated cacert.org.pem hash symlinks without the above patch included in openssl: root@mana:/# ls -l /etc/ssl/certs/|grep cacert.org lrwxrwxrwx 1 root root 14 Nov 12 05:21 5ed36f99.0 -> cacert.org.pem lrwxrwxrwx 1 root root 14 Nov 12 05:21 99d0fa06.0 -> cacert.org.pem lrwxrwxrwx 1 root root 52 Nov 12 05:17 cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt root@mana:/# As suspected, if we include both the current concatenation and the individual certs, we have some problems: Unpacking replacement ca-certificates ... Setting up ca-certificates (20121105) ... Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate cacert.org_root.pem WARNING: Skipping duplicate certificate cacert.org_root.pem 161 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. root@mana:/# ls -l /etc/ssl/certs/|grep cacert.org lrwxrwxrwx 1 root root 21 Nov 12 05:32 590d426f.0 -> cacert.org_class3.pem lrwxrwxrwx 1 root root 14 Nov 12 05:32 5ed36f99.0 -> cacert.org.pem lrwxrwxrwx 1 root root 14 Nov 12 05:32 99d0fa06.0 -> cacert.org.pem lrwxrwxrwx 1 root root 52 Nov 12 05:32 cacert.org.pem -> /usr/share/ca-certificates/cacert.org/cacert.org.crt lrwxrwxrwx 1 root root 59 Nov 12 05:32 cacert.org_class3.pem -> /usr/share/ca-certificates/cacert.org/cacert.org_class3.crt lrwxrwxrwx 1 root root 57 Nov 12 05:32 cacert.org_root.pem -> /usr/share/ca-certificates/cacert.org/cacert.org_root.crt lrwxrwxrwx 1 root root 21 Nov 12 05:32 e5662767.0 -> cacert.org_class3.pem root@mana:/# grep cacert.org /etc/ca-certificates.conf cacert.org/cacert.org.crt cacert.org/cacert.org_class3.crt cacert.org/cacert.org_root.crt root@mana:/# As I understand it, there is a high probability that there are a good number of users that may have configurations, for example apache, that rely on the existence of the concatenated cacert.org.pem file for root chaining. If we remove the concatenated file, we cause problems for users. If we include the concatenated file along with the individual root.crt and class3.crt, we are going to have some different problems. More ideas and testing are needed! -- Kind regards, Michael
signature.asc
Description: OpenPGP digital signature
