Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please consider unblocking not-yet-uploaded package e2guardian Quite recently Google Chrome changed its policy regarding certificate requirements. Certs without a subjectAltName field get now rejected. In the e2guardian content filter system, there is support for filtering SSL encrypted http traffic by decrypting, checking its content and then re-encrypting SSL-encrypted content. Whereas some consider this as a m-i-t-m attack, in some setups this makes good sense (e.g. in school networks). For re-encrypting the content, a self-signed set of certs gets used. In previous versions, these certs lack the SAN field. With a patch from upstream (that they backported to the 3.4 branch of e2guardian esp. for Debian 9), this issue has now been fixed. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862855 for details. unblock e2guardian/3.4.0.3-2 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru e2guardian-3.4.0.3/debian/changelog e2guardian-3.4.0.3/debian/changelog --- e2guardian-3.4.0.3/debian/changelog 2016-09-07 16:37:57.000000000 +0200 +++ e2guardian-3.4.0.3/debian/changelog 2017-05-31 11:45:41.000000000 +0200 @@ -1,3 +1,12 @@ +e2guardian (3.4.0.3-2) unstable; urgency=medium + + * debian/patches: + + Add 0001_fix-certificate-bug-with-chrome-browser.patch. Make sure + self-created certificates contain a SAN (subjectAltName) field. (Closes: + #862855). + + -- Mike Gabriel <mike.gabr...@das-netzwerkteam.de> Wed, 31 May 2017 11:45:41 +0200 + e2guardian (3.4.0.3-1) unstable; urgency=medium * Initial release to Debian. (Closes: #836281). diff -Nru e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch --- e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch 1970-01-01 01:00:00.000000000 +0100 +++ e2guardian-3.4.0.3/debian/patches/0001_fix-certificate-bug-with-chrome-browser.patch 2017-05-31 11:40:40.000000000 +0200 @@ -0,0 +1,69 @@ +From 0e2bbdea7b4433b75fb73f8e915dbe0e1095fed1 Mon Sep 17 00:00:00 2001 +From: Fredb <num...@free.fr> +Date: Wed, 31 May 2017 09:33:09 +0200 +Subject: [PATCH] Bug #216 (v3.4.0.3) Fix certificate bug with chrome browser + +--- + src/CertificateAuthority.cpp | 24 +++++++++++++++++++++++- + src/CertificateAuthority.hpp | 1 + + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/src/CertificateAuthority.cpp b/src/CertificateAuthority.cpp +index 6202002..4e03ded 100755 +--- a/src/CertificateAuthority.cpp ++++ b/src/CertificateAuthority.cpp +@@ -118,7 +118,7 @@ bool CertificateAuthority::getSerial(const char *commonname, struct ca_serial *c + // added to generate different serial number than previous versions + // needs to be added as an option + std::string sname(commonname ); +- sname += "A"; ++ sname += "B"; + + #ifdef DGDEBUG + std::cout << "Generating serial no for " << commonname << std::endl; +@@ -390,6 +390,14 @@ X509 *CertificateAuthority::generateCertificate(const char *commonname, struct c + return NULL; + } + ++{ ++ String temp1 = "DNS:"; ++ String temp2 = commonname; ++ temp1 = temp1 + temp2; ++ char *value = (char*) temp1.toCharArray(); ++if( !addExtension(newCert, NID_subject_alt_name, value)) ++ log_ssl_errors("Error adding subjectAltName to the request", commonname); ++} + //sign it using the ca + ERR_clear_error(); + if (!X509_sign(newCert, _caPrivKey, EVP_sha256())) { +@@ -521,4 +529,18 @@ CertificateAuthority::~CertificateAuthority() + if (_caPrivKey) EVP_PKEY_free(_caPrivKey); + if (_certPrivKey) EVP_PKEY_free(_certPrivKey); + } ++ ++bool CertificateAuthority::addExtension(X509 *cert, int nid, char *value) ++{ ++ X509_EXTENSION *ex = NULL; ++ ++ ex = X509V3_EXT_conf_nid(NULL,NULL , nid, value); ++ ++ int result = X509_add_ext(cert, ex, -1); ++ ++ X509_EXTENSION_free(ex); ++ ++ return (result > 0) ? true : false; ++} ++ + #endif //__SSLMITM +diff --git a/src/CertificateAuthority.hpp b/src/CertificateAuthority.hpp +index 230932b..0aecf61 100755 +--- a/src/CertificateAuthority.hpp ++++ b/src/CertificateAuthority.hpp +@@ -25,6 +25,7 @@ class CertificateAuthority + time_t _ca_end; + static int do_mkdir(const char *path, mode_t mode); + int mkpath(const char *path, mode_t mode); ++ bool addExtension(X509 *cert, int nid, char *value); + + public: + CertificateAuthority(const char *caCert, diff -Nru e2guardian-3.4.0.3/debian/patches/series e2guardian-3.4.0.3/debian/patches/series --- e2guardian-3.4.0.3/debian/patches/series 2016-09-07 16:30:22.000000000 +0200 +++ e2guardian-3.4.0.3/debian/patches/series 2017-05-31 11:40:59.000000000 +0200 @@ -1,3 +1,4 @@ +0001_fix-certificate-bug-with-chrome-browser.patch 1001_idem-potent-build.patch 1002_fix-message-typos.patch 2001_remove-w3c-badge.patch