openssl: Expired certificates and recertification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Debian) |
Fix Released
|
Unknown
|
|||
openssl (Ubuntu) |
Invalid
|
Medium
|
Fabio Massimo Di Nitto |
Bug Description
Automatically imported from Debian bug report #176062
http://
In Debian Bug tracker #176062, Christoph Martin (martin-uni-mainz) wrote : [Fwd: Bug#176062: openssl: Expired certificates and recertification] | #1 |
In Debian Bug tracker #176062, Christoph Martin (martin-uni-mainz) wrote : [Fwd: [openssl.org #448] [Fwd: Bug#176062: openssl: Expired certificates and recertification]] | #2 |
FYI
[<email address hidden> - Fri Jan 10 15:09:40 2003]:
It's correct, recertification doesn't work very well. A change would however mean making a substantial change to the database (index.txt), which makes it too complicated to get into the 0.9.7 branch.
I'm planning to work on changing this behavior for 0.9.8. Therefore, I'll make sure this ticket has 0.9.8 as milestone.
--
Richard Levitte
In Debian Bug tracker #176062, Wichert Akkerman (wichert) wrote : Renewing certs does not work | #3 |
severity 176062 serious
thanks
This bug still seems to be present and it is preventing me from renewing
the cert for Alioth:
[tornado;
Using configuration from /usr/lib/
Enter pass phrase for ./CA/private/
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:
localityName :PRINTABLE:
organizationName :PRINTABLE:
organizationalU
commonName :PRINTABLE:
emailAddress :IA5STRING:'<email address hidden>'
Certificate is to be certified until Apr 9 11:03:40 2005 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
All permissions are correct. An strace reveals that openssl is not even
trying to do anything on disk:
write(2, "Sign the certificate? [y/n]:", 28) = 28
getpid() = 8217
getpid() = 8217
fstat64(0, {st_mode=
mmap2(NULL, 4096, PROT_READ|
read(0, "y\n", 1024) = 2
getpid() = 8217
getpid() = 8217
open("/
select(7, [6], NULL, NULL, {0, 10000}) = 1 (in [6], left {0, 10000})
read(6, "[..]", 32) = 32
close(6) = 0
getpid() = 8217
getpid() = 8217
getuid32() = 1000
getpid() = 8217
time(NULL) = 1081507779
getpid() = 8217
time([1081507779]) = 1081507779
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() ...
In Debian Bug tracker #176062, Christoph Martin (martin-uni-mainz) wrote : [Fwd: [openssl.org #448] [Fwd: Bug#176062: openssl: Expired certificates and recertification]] | #4 |
Hi Wichert,
upstream wants to fix the problem in version 0.9.8. But I don't know
when this will come. I try to find out, if there is a workaround.
Christoph
PS: Why do you think, this is a serious policy violation?
--
=======
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: <email address hidden>
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
[<email address hidden> - Fri Jan 10 15:09:40 2003]:
It's correct, recertification doesn't work very well. A change would however mean making a substantial change to the database (index.txt), which makes it too complicated to get into the 0.9.7 branch.
I'm planning to work on changing this behavior for 0.9.8. Therefore, I'll make sure this ticket has 0.9.8 as milestone.
--
Richard Levitte
Debian Bug Importer (debzilla) wrote : | #5 |
Automatically imported from Debian bug report #176062
http://
Debian Bug Importer (debzilla) wrote : | #6 |
Message-Id: <email address hidden>
Date: Fri, 10 Jan 2003 00:31:01 +0100
From: Florian Weimer <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: openssl: Expired certificates and recertification
Package: openssl
Version: 0.9.6g-10
Severity: normal
Tags: upstream
"openssl ca" refuses to certifiy a DN which has already been certified,
even though the old certificate has expired. As a result,
recertification requires an additional, IMHO unnecessary step.
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux Login 2.4.18-xfs-1.1 #6 SMP Fri Jan 3 14:39:36 CET 2003 i686
Locale: LANG=C, LC_CTYPE=en_US
Versions of packages openssl depends on:
ii libc6 2.3.1-5 GNU C Library: Shared libraries an
ii libssl0.9.6 0.9.6g-10 SSL shared libraries
ii perl 5.8.0-14 Larry Wall's Practical Extraction
-- no debconf information
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Fri, 10 Jan 2003 14:58:26 +0100
From: Christoph Martin <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: [Fwd: Bug#176062: openssl: Expired certificates and recertification]
-------
Content-Type: multipart/mixed; boundary=
This is a multi-part message in MIME format.
-------
Content-Type: text/plain; charset=us-ascii
Content-
Forwarded from Debian Bug Tracking
Christoph
-------
Content-Type: message/rfc822;
name="Bug#176062: openssl: Expired certificates and recertification"
Content-
Content-
filename=
recertification"
Received: via dmail-2000(11) for martin; Fri, 10 Jan 2003 00:41:58 +0100 (CET)
Return-Path: <email address hidden>
Received: from lucy.verwaltung
[134.93.144.162])
by wintermute.
ESMTP id h09Nfg0C031706
(version=
for <email address hidden>;
Fri, 10 Jan 2003 00:41:42 +0100
Received: from mailgate2.
[134.93.8.57])
by lucy.verwaltung
h09Nfgjb013023
(version=
for <email address hidden>;
Fri, 10 Jan 2003 00:41:42 +0100
Received: from exfront1.
[134.93.8.75])
by mailgate2.
h09Nffn9003257 for <email address hidden>;
Fri, 10 Jan 2003 00:41:41 +0100 (MET)
Received: from spamgate2.
exfront1.
Fri, 10 Jan 2003 00:41:41 +0100
Received: from mailgate3.
[134.93.130.78])
by spamgate2.
h09NfcIs029138 for <email address hidden>;
Fri, 10 Jan 2003 00:41:38 +0100 (MET)
Received: from master.debian.org (master.debian.org [65.125.64.135])
by mailgate3.
h09NfbwU026296 for <email address hidden>;
Fri, 10 Jan 2003 00:41:37 +0100 (MET)
Received: from debbugs by master.debian.org with local (Exim 3.12 1 (Debian))
id 18WmAk-0000K5-00; Thu, 09 Jan 2003 17:33:14 -0600
X-Loop: <email address hidden>
Subject: Bug#176062: openssl: Expired certificates and recertification
Reply-To: Florian Weimer <email address hidden>, <email address hidden>
Resent-From: Florian Weimer <email address hidden>
Resent-To: <email address hidden>
Resent-CC: Christoph Martin <email address hidden>,
<email address hidden>
Resent-Date: Thu, 09 Jan 2003 23:33:13 GMT
Resent-Message-ID: <email address hidden>
X-Debian-
X-Deb...
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Mon, 13 Jan 2003 17:59:04 +0100
From: Christoph Martin <email address hidden>
To: <email address hidden>
CC: <email address hidden>
Subject: [Fwd: [openssl.org #448] [Fwd: Bug#176062: openssl: Expired
certificates and recertification]]
-------
Content-Type: multipart/mixed; boundary=
This is a multi-part message in MIME format.
-------
Content-Type: text/plain; charset=us-ascii
Content-
FYI
-------
Content-Type: message/rfc822;
name="[openssl.org #448] [Fwd: Bug#176062: openssl: Expired
certificates and recertification]"
Content-
Content-
filename=
certificates and recertification]"
Received: via dmail-2000(11) for martin; Mon, 13 Jan 2003 16:26:31 +0100 (CET)
Return-Path: <email address hidden>
Received: from lucy.verwaltung
[134.93.144.162])
by wintermute.
ESMTP id h0DFQO0C016547
(version=
for <email address hidden>;
Mon, 13 Jan 2003 16:26:25 +0100
Received: from mailgate1.
[134.93.8.56])
by lucy.verwaltung
h0DFQLjb003183
(version=
for <email address hidden>;
Mon, 13 Jan 2003 16:26:21 +0100
Received: from exfront2.
[134.93.8.76])
by mailgate1.
h0DFQKe6017324 for <email address hidden>;
Mon, 13 Jan 2003 16:26:20 +0100 (MET)
Received: from spamgate2.
exfront2.
Mon, 13 Jan 2003 16:26:19 +0100
Received: from mailgate1.
[134.93.8.56])
by spamgate2.
h0DFQEIs004085
for <email address hidden>; Mon, 13 Jan 2003 16:26:14 +0100 (MET)
Received: from serv01.
[141.43.132.161])
by mailgate1.
h0DFQDe7017297
(version=
for <email address hidden>; Mon, 13 Jan 2003 16:26:13 +0100 (MET)
Received: from localhost (localhost [127.0.0.1])
by serv01.
id 14D533256; Mon, 13 Jan 2003 16:24:12 +0100 (MET)
Received: by serv01.
id BA0FE3254; Mon, 13 Jan 2003 16:24:07 +0100 (MET)
X-RT-Loop-
Message-Id: <email address hidden>
Subject: [openssl.org #448] [Fwd: Bug#176062: openssl: Expired certificates
and recertification]
In-Reply-To: <email address hidden>
Managed-BY: RT 2.0.15 (http://
From: "Ric...
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Fri, 9 Apr 2004 13:11:55 +0200
From: Wichert Akkerman <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Renewing certs does not work
severity 176062 serious
thanks
This bug still seems to be present and it is preventing me from renewing
the cert for Alioth:
[tornado;
Using configuration from /usr/lib/
Enter pass phrase for ./CA/private/
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:
localityName :PRINTABLE:
organizationName :PRINTABLE:
organizationalU
commonName :PRINTABLE:
emailAddress :IA5STRING:'<email address hidden>'
Certificate is to be certified until Apr 9 11:03:40 2005 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
All permissions are correct. An strace reveals that openssl is not even
trying to do anything on disk:
write(2, "Sign the certificate? [y/n]:", 28) = 28
getpid() = 8217
getpid() = 8217
fstat64(0, {st_mode=
mmap2(NULL, 4096, PROT_READ|
read(0, "y\n", 1024) = 2
getpid() = 8217
getpid() = 8217
open("/
select(7, [6], NULL, NULL, {0, 10000}) = 1 (in [6], left {0, 10000})
read(6, "[..]", 32) = 32
close(6) = 0
getpid() = 8217
getpid() = 8217
getuid32() = 1000
getpid() = 8217
time(NULL) = 1081507779
getpid() = 8217
time([1081507779]) = 1081507779
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 8217
getpid() = 821...
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Tue, 20 Apr 2004 12:03:56 +0200
From: Christoph Martin <email address hidden>
To: <email address hidden>
CC: <email address hidden>
Subject: [Fwd: [openssl.org #448] [Fwd: Bug#176062: openssl: Expired
certificates and recertification]]
-------
Content-Type: multipart/mixed; boundary=
This is a multi-part message in MIME format.
-------
Content-Type: text/plain; charset=us-ascii
Content-
Hi Wichert,
upstream wants to fix the problem in version 0.9.8. But I don't know
when this will come. I try to find out, if there is a workaround.
Christoph
PS: Why do you think, this is a serious policy violation?
--
=======
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: <email address hidden>
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
-------
Content-Type: message/rfc822;
name="[openssl.org #448] [Fwd: Bug#176062: openssl: Expired
certificates and recertification]"
Content-
Content-
filename=
certificates and recertification]"
Received: via dmail-2000(11) for martin; Mon, 13 Jan 2003 16:26:31 +0100 (CET)
Return-Path: <email address hidden>
Received: from lucy.verwaltung
[134.93.144.162])
by wintermute.
ESMTP id h0DFQO0C016547
(version=
for <email address hidden>;
Mon, 13 Jan 2003 16:26:25 +0100
Received: from mailgate1.
[134.93.8.56])
by lucy.verwaltung
h0DFQLjb003183
(version=
for <email address hidden>;
Mon, 13 Jan 2003 16:26:21 +0100
Received: from exfront2.
[134.93.8.76])
by mailgate1.
h0DFQKe6017324 for <email address hidden>;
Mon, 13 Jan 2003 16:26:20 +0100 (MET)
Received: from spamgate2.
exfront2.
Mon, 13 Jan 2003 16:26:19 +0100
Received: from mailgate1.
[134.93.8.56])
by spamgate2.
h0DFQEIs004085
for <email address hidden>; Mon, 13 Jan 2003 16:26:14 +0100 (MET)
Received: from serv01.
[141.43.132.161])
by mailgate1.
h0DFQDe7017297
(version=
for <email address hidden>; Mon, 13 Jan 2003 16:26:13 +0100 (MET)
Received: from localhost (localhost [127.0.0.1])
by serv01.
id 14D533256; M...
Fabio Massimo Di Nitto (fabbione) wrote : | #13 |
This is an upstream work in progress. Let's keep it as LATER for when it will be
fixed for real. In anycase all distros are affected by this problem.
In Debian Bug tracker #176062, Brian M. Carlson (sandals) wrote : Changing 176062 to important | #14 |
-----BEGIN PGP SIGNED MESSAGE-----
severity 176062 important
thanks, control, and have a nice day
This bug is not severity serious; if you claim it is, please provide a
quote from policy. Thank you, and have a nice day.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBQO2p3uW
gMW+jLwcWaM8oWO
ijFTFbEoDMA7X7K
7C+ccZ/
MPrUwpzlc9j9k6n
2VjpiYlG/
=WJXB
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #15 |
Message-Id: <email address hidden>
Date: Thu, 8 Jul 2004 20:08:44 +0000
From: "Brian M\. Carlson" <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Changing 176062 to important
=2D----BEGIN PGP SIGNED MESSAGE-----
severity 176062 important
thanks, control, and have a nice day
This bug is not severity serious; if you claim it is, please provide a=20
quote from policy. Thank you, and have a nice day.
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBQO2p3uW
gMW+jLwcWaM8oWO
ijFTFbEoDMA7X7K
7C+ccZ/
MPrUwpzlc9j9k6n
2VjpiYlG/
=3DWJXB
=2D----END PGP SIGNATURE-----
Fabio Massimo Di Nitto (fabbione) wrote : | #16 |
Changing resolution to avoid spam
In Debian Bug tracker #176062, Florian Weimer (fw) wrote : Update email address | #17 |
submitter 106287 <email address hidden>
submitter 107374 <email address hidden>
submitter 137970 <email address hidden>
submitter 147527 <email address hidden>
submitter 150467 <email address hidden>
submitter 153467 <email address hidden>
submitter 157138 <email address hidden>
submitter 159478 <email address hidden>
submitter 160673 <email address hidden>
submitter 176056 <email address hidden>
submitter 176058 <email address hidden>
submitter 176062 <email address hidden>
submitter 181887 <email address hidden>
thanks
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Wed, 08 Sep 2004 13:46:58 +0200
From: Florian Weimer <email address hidden>
To: <email address hidden>
Subject: Update email address
submitter 106287 <email address hidden>
submitter 107374 <email address hidden>
submitter 137970 <email address hidden>
submitter 147527 <email address hidden>
submitter 150467 <email address hidden>
submitter 153467 <email address hidden>
submitter 157138 <email address hidden>
submitter 159478 <email address hidden>
submitter 160673 <email address hidden>
submitter 176056 <email address hidden>
submitter 176058 <email address hidden>
submitter 176062 <email address hidden>
submitter 181887 <email address hidden>
thanks
In Debian Bug tracker #176062, Phil Endecott (phil-zefcs-endecott) wrote : Seems fixed in 0.9.8b-2 | #19 |
This was fixed in 0.9.8.
You need to put "unique_subject = no" in the ca section of your
configuration file and it will let you have more than one certificate
for the same DN, i.e. a new one when your old one expires. (Search
for "subject" in the changelog.)
I suggest that this line is added to the default configuration file.
Phil.
john morimore (paradigmshifter1) wrote : | #20 |
of course the people who are cracking me .did the same with any other O.S. I have tried..security soft or hard does not work..nor do new computers , O.S's etc etc...yhey could not do what they do without expired cert erc ??
Changed in openssl (Debian): | |
status: | Confirmed → Fix Released |
Forwarded from Debian Bug Tracking
Christoph
Package: openssl
Version: 0.9.6g-10
Severity: normal
Tags: upstream
"openssl ca" refuses to certifiy a DN which has already been certified,
even though the old certificate has expired. As a result,
recertification requires an additional, IMHO unnecessary step.
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux Login 2.4.18-xfs-1.1 #6 SMP Fri Jan 3 14:39:36 CET 2003 i686
Locale: LANG=C, LC_CTYPE=en_US
Versions of packages openssl depends on:
ii libc6 2.3.1-5 GNU C Library: Shared libraries an
ii libssl0.9.6 0.9.6g-10 SSL shared libraries
ii perl 5.8.0-14 Larry Wall's Practical Extraction
-- no debconf information