Hi Joey, hi Jaldhar,
Martin Schulze [2006-07-20 11:16 +0200]:
> Martin Pitt wrote:
> > In an effort to clean up the SSL certificate mess on Ubuntu servers, we
> > recently converted all our supported Server packages to make use of
> > the ssl-cert package instead of creating a package-specific
> > self-signed SSL certificate. This allows admins to easily replace the
> > certificate with a 'real' one without touching dozens of configuration
> > files, and also provides a consistent setup out of the box.
>
> Probably a good idea, however...
>
> > +-#ssl_cert_file = /etc/ssl/certs/dovecot.pem
> > +-#ssl_key_file = /etc/ssl/private/dovecot.pem
> > ++#ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> > ++#ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
>
> If you would keep /etc/ssl/{certs,private}/dovecot.pem and just
> create a symbolic link to the snakeoil certificate, it would be
> even more easier for the admin to change certificates since they
> would not have to dig into all kinds of configuration files for
> various applications but only look at the filesystem.OK, a symlink would be an alternative, right. They might be a bit confusing if you look at the configuration file, see 'dovecot.pem', change 'snakeoil.pem', and suddenly get a different certificate for dovecot as well, but I'm not opposed to doing it that way. This should probably be decided by Jaldhar, after all, it's his package. :) > > +diff -urNad dovecot-1.0.beta3~/src/master/master-settings.c > > dovecot-1.0.beta3/src/master/master-settings.c > > +--- dovecot-1.0.beta3~/src/master/master-settings.c 2006-02-02 > > 22:15:30.000000000 +0100 > > ++++ dovecot-1.0.beta3/src/master/master-settings.c 2006-04-04 > > 11:40:45.000000000 +0200 > > +@@ -262,8 +262,8 @@ > > + > > + MEMBER(ssl_disable) FALSE, > > + MEMBER(ssl_ca_file) NULL, > > +- MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem", > > +- MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem", > > ++ MEMBER(ssl_cert_file) SSLDIR"/certs/ssl-cert-snakeoil.pem", > > ++ MEMBER(ssl_key_file) SSLDIR"/private/ssl-cert-snakeoil.key", > > This looks bad to me since it looks like the snakeoil certificate would > be somewhat hardcoded. The default is hardcoded either way; since we added a dependency to ssl-cert, it will be there. > Does this make it more difficult for an admin to change the cert for > only dovecot instead of for all snakeoil using applications? Our intention was to optimize the 'switch global SSL certificate easily' case without getting too intrusive (since at least in my experience admins will prefer using one good certificate for all services on a host instead of managing one for each service). To change the cert only for dovecot: With the patch above, the admin needs to change the path in dovecot.conf; with the symlink approach, he can do either that or change the symlink (but with the potential confusion I mentioned above). So neither approach makes this any more difficult than right now. I guess it's just a matter of taste, but if we want to do it in Debian, we should pick one approach and do it consistently (either symlinks or directly using the snakeoil path). Thanks for considering and your remarks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
