Re: [gentoo-dev] SSL certificates in binary packages
On Tue, 21 Aug 2007, Natanael Copa wrote: Hi, I use the gentoo framework to build binary packages. I noticed that most packages creates the ssl certificate during src_install(). This makes all binary packages contain the ssl certs which is a security threat. Hi, If you are really concerned by security, then you do not want to use such automatically-generated certificates. They generally contains fake CN names (e.g. CN=localhost) and they are not expected in a PKI environment: they can't be checked nor trusted. You will generate your own certificates with your own root CA, your own CRL and your own policy. The net-nds/openldap package has understood this and calls docert from pkg_postinst() and even includes this comment: # You cannot build SSL certificates during src_install that will make # binary packages containing your SSL key, which is both a security risk # and a misconfiguration if multiple machines use the same key and cert. i guess openldap generates self-signed certificates with generic CN names, and this problem is not solved this way. Cheers, -- Raphael Marichez aka Falco Gentoo/Security pgpFMUZAbAj3h.pgp Description: PGP signature
Re: [gentoo-dev] SSL certificates in binary packages
On Wed, 2007-08-22 at 13:29 +0200, Raphael Marichez wrote: On Tue, 21 Aug 2007, Natanael Copa wrote: Hi, I use the gentoo framework to build binary packages. I noticed that most packages creates the ssl certificate during src_install(). This makes all binary packages contain the ssl certs which is a security threat. Hi, If you are really concerned by security, then you do not want to use such automatically-generated certificates. They generally contains fake CN names (e.g. CN=localhost) and they are not expected in a PKI environment: they can't be checked nor trusted. You will generate your own certificates with your own root CA, your own CRL and your own policy. Ofcourse. I'm just telling that there are some public keys available in the binary packages so joe user might believe he has encrytion of his traffic out of the box. The net-nds/openldap package has understood this and calls docert from pkg_postinst() and even includes this comment: # You cannot build SSL certificates during src_install that will make # binary packages containing your SSL key, which is both a security risk # and a misconfiguration if multiple machines use the same key and cert. i guess openldap generates self-signed certificates with generic CN names, and this problem is not solved this way. Difficult to decrypt traffic even if it uses self signed keys. Trivial if you have the private keys. Do whatever you want with it. I was just surprised to find private keys in my binary packages. Cheers, -- [EMAIL PROTECTED] mailing list
[gentoo-dev] SSL certificates in binary packages
Hi, I use the gentoo framework to build binary packages. I noticed that most packages creates the ssl certificate during src_install(). This makes all binary packages contain the ssl certs which is a security threat. The net-nds/openldap package has understood this and calls docert from pkg_postinst() and even includes this comment: # You cannot build SSL certificates during src_install that will make # binary packages containing your SSL key, which is both a security risk # and a misconfiguration if multiple machines use the same key and cert. # Additionally, it overwrites The net-im/ejabberd seems to create ssl cert from antoher script. The vulnerable packages are: app-admin/conserver mail-mta/postfix net-analyzer/sguil-server net-firewall/nufw net-ftp/netkit-ftpd net-irc/ptlink-ircd net-irc/unrealircd net-mail/cyrus-imapd net-mail/cyrus-imspd net-mail/dovecot net-misc/stunnel net-nntp/inn www-servers/nginx Should I create a bug for every vulnerable package? From a binary packagers perspective I would really prefer to create the certs from init.d script. Thanks! Natanael Copa -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] SSL certificates in binary packages
On 8/21/07, Natanael Copa [EMAIL PROTECTED] wrote: Hi, I use the gentoo framework to build binary packages. I noticed that most packages creates the ssl certificate during src_install(). This makes all binary packages contain the ssl certs which is a security threat. The net-nds/openldap package has understood this and calls docert from pkg_postinst() and even includes this comment: # You cannot build SSL certificates during src_install that will make # binary packages containing your SSL key, which is both a security risk # and a misconfiguration if multiple machines use the same key and cert. # Additionally, it overwrites The net-im/ejabberd seems to create ssl cert from antoher script. The vulnerable packages are: app-admin/conserver mail-mta/postfix net-analyzer/sguil-server net-firewall/nufw net-ftp/netkit-ftpd net-irc/ptlink-ircd net-irc/unrealircd net-mail/cyrus-imapd net-mail/cyrus-imspd net-mail/dovecot net-misc/stunnel net-nntp/inn www-servers/nginx Should I create a bug for every vulnerable package? From a binary packagers perspective I would really prefer to create the certs from init.d script. Generating certs from init.d is a bad idea IMHO. It makes it way too easy to automatically generate new certs in the event that old ones are moved (if you are talking about the service starting, detecting no certs, generating some, then using them). I guess you could do like /etc/init.d/SERVICE certgen, but that too is probably a hack (not really what init scripts are for). I personally would generate the certs on a trusted server/workstation and then push them to the machine post-install using slack or cfengine or puppet. I don't see why (in a generic package like a gentoo ebuild) you would do anything but create a generic cert 'so it works out of the box'. You are certainly entitled to edit the ebuild's postinst to do whatever :) PS: I'll try to get to these tonight, you can just file a tracker bug for them. Thanks! Natanael Copa -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] SSL certificates in binary packages
On Tue, Aug 21, 2007 at 04:12:32PM +0200, Natanael Copa wrote: I use the gentoo framework to build binary packages. I noticed that most packages creates the ssl certificate during src_install(). This makes all binary packages contain the ssl certs which is a security threat. I filed bug #174759 to the security team back in April on this issue, and then fixed the openldap package where I had originally found it. Anybody using binpkgs obtained from a public repository that contain SSL certs should ensure that they regenerate the SSL certs on each machine. For packages, there are two possible fixes: 1. Move the docert call into pkg_postinst. 2. Provide scripts that generate certs (courier-imap and qmail do this). -- Robin Hugh Johnson Gentoo Linux Developer Council Member E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 pgppzsT4NuWk7.pgp Description: PGP signature
Re: [gentoo-dev] SSL certificates in binary packages
On Tuesday 21 August 2007, Robin H. Johnson wrote: On Tue, Aug 21, 2007 at 04:12:32PM +0200, Natanael Copa wrote: I use the gentoo framework to build binary packages. I noticed that most packages creates the ssl certificate during src_install(). This makes all binary packages contain the ssl certs which is a security threat. I filed bug #174759 to the security team back in April on this issue, and then fixed the openldap package where I had originally found it. Anybody using binpkgs obtained from a public repository that contain SSL certs should ensure that they regenerate the SSL certs on each machine. For packages, there are two possible fixes: 1. Move the docert call into pkg_postinst. there it is -mike signature.asc Description: This is a digitally signed message part.