make-ssl-cert creates improper hash symlink to ssl-cert-snakeoil.pem

Bug #1324897 reported by Cedric Gustin on 2014-05-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ssl-cert (Ubuntu)

Bug Description

Steps to reproduce :

   1. Generate new snakeoil SSL certificates with 'sudo make-ssl-cert generate-default-snakeoil --force-overwrite'
   2. Get hash of new certificate with 'openssl x509 -hash -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem', say fd1e9cf4
   3. Check that fd1e9cf4.0 symlink to ssl-cert-snakeoil.pem was created in /etc/ssl/certs

Problem :

   - fd1e9cf4 symlink is created instead of fd1e9cf4.0 (with .0 extension)
   - if you're lucky, hash has not changed and you still have the old fd1e9cf4.0 symlink.
   - if you're unlucky (random seed has changed or you choose a different keysize), hash will change, wrong symlink will be created and certification validation will fail for example when using TLS with postfix :

     postfix/smtpd[3828]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1260:SSLalert number 48

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers