Your message dated Tue, 09 May 2017 05:19:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#862122: unblock: ssl-cert/1.0.39
has caused the Debian Bug report #862122,
regarding unblock: ssl-cert/1.0.39
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
862122: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862122
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi release team,
Please unblock package ssl-cert
At least the current version of chrome does not accept the default
certificates generated by ssl-cert 1.0.38 anymore, because they don't
contain the host name as SubjectAltName. Therefore it makes sense to
have the new version of ssl-cert in stretch.
Debdiff is attached.
unblock ssl-cert/1.0.39
Cheers,
Stefan
diff -Nru ssl-cert-1.0.38/debian/changelog ssl-cert-1.0.39/debian/changelog
--- ssl-cert-1.0.38/debian/changelog 2016-05-29 13:44:46.000000000 +0200
+++ ssl-cert-1.0.39/debian/changelog 2017-04-28 21:58:22.000000000 +0200
@@ -1,3 +1,12 @@
+ssl-cert (1.0.39) unstable; urgency=medium
+
+ * Always put the common name also in the SubjectAltName. This is required
+ to make newer web browsers happy. Closes: #861185
+ The wording in the debconf questions will be adjusted later, to avoid
+ having to fix so many translation shortly before the release.
+
+ -- Stefan Fritsch <[email protected]> Fri, 28 Apr 2017 21:58:22 +0200
+
ssl-cert (1.0.38) unstable; urgency=medium
* Update Turkish translation. Thanks to Atila KOÇ. Closes: #807559
diff -Nru ssl-cert-1.0.38/make-ssl-cert ssl-cert-1.0.39/make-ssl-cert
--- ssl-cert-1.0.38/make-ssl-cert 2016-05-29 13:39:30.000000000 +0200
+++ ssl-cert-1.0.39/make-ssl-cert 2017-04-28 21:53:33.000000000 +0200
@@ -32,8 +32,10 @@
db_input high make-ssl-cert/altname || true
db_go
db_get make-ssl-cert/altname
- AltName="$RET"
+ AddAltName="$RET"
db_fset make-ssl-cert/altname seen false
+ SubjectAltName="DNS:$HostName"
+ [ -z "$AddAltName" ] || SubjectAltName="$SubjectAltName,$AddAltName"
}
make_snakeoil() {
@@ -44,15 +46,14 @@
echo make-ssl-cert: 'make-ssl-cert generate-default-snakeoil
--force-overwrite'
echo make-ssl-cert: again.
fi
+ SubjectAltName="DNS:$HostName"
if [ ${#HostName} -gt 64 ] ; then
- AltName="DNS:$HostName"
HostName="$(hostname)"
fi
}
create_temporary_cnf() {
- sed -e s#@HostName@#"$HostName"# $template > $TMPFILE
- [ -z "$AltName" ] || echo "subjectAltName=$AltName" >> $TMPFILE
+ sed -e s#@HostName@#"$HostName"# -e s#@SubjectAltName@#"$SubjectAltName"#
$template > $TMPFILE
}
# Takes two arguments, the base layout and the output cert.
diff -Nru ssl-cert-1.0.38/ssleay.cnf ssl-cert-1.0.39/ssleay.cnf
--- ssl-cert-1.0.38/ssleay.cnf 2016-05-29 13:39:30.000000000 +0200
+++ ssl-cert-1.0.39/ssleay.cnf 2017-04-28 21:54:35.000000000 +0200
@@ -18,3 +18,4 @@
[ v3_req ]
basicConstraints = CA:FALSE
+subjectAltName = @SubjectAltName@
--- End Message ---
--- Begin Message ---
Stefan Fritsch:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Hi release team,
>
> Please unblock package ssl-cert
>
> At least the current version of chrome does not accept the default
> certificates generated by ssl-cert 1.0.38 anymore, because they don't
> contain the host name as SubjectAltName. Therefore it makes sense to
> have the new version of ssl-cert in stretch.
>
> Debdiff is attached.
>
> unblock ssl-cert/1.0.39
>
> Cheers,
> Stefan
>
Already unblocked and migrated.
Thanks,
~Niels
--- End Message ---
