Ubuntu
ssl-cert package

ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration

Bug #1853021 reported by Joe Stewart
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ssl-cert (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

[Impact]
The CA/Browser Forum now has a standard with maximum expiration of 825 days. `ssl-cert generate-default-snakeoil` hardcodes this to 10 years (3650 days), but provides no mechanism for setting this to alternative values, such as 825.

[Test Case]
$ openssl x509 -enddate -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem
notAfter=Dec 15 04:21:19 2029 GMT
$ sudo rm /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key
$ make-ssl-cert --expiration-days=10 generate-default-snakeoil
notAfter=Nov 24 04:21:43 2020 GMT

[Where Problems Could Occur]
The fix for this bug includes a new implementation of option handling, so the most likely place to watch for issues would be options that no longer work or behave differently. However, the script previously supported only a small number of ways to be executed so is simple to just test all the combinations.

The purpose of the script itself is to create certificates, so another obvious thing to watch would be invalidly generated certificates.

[Original Report]
The CA/Browser Forum now has a standard with maximum expiration of 825 days.

References:

https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/
https://www.sslshopper.com/cab-forum-reduces-max-cert-validity-to-825-days.html
https://support.apple.com/en-us/HT210176

Related previous issue when changed from 30-days to 10-years:

"ssl-cert generate-default-snakeoil provides no way to override default 30 day expiration"
https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/253512

"""
The openssl req command requires a -days argument to override the default number of days (30) for validity of self-signed certifiicates. 30 days seems an unreasonably low default. I have found no way to change this without fiddling with /usr/sbin/make-ssl-cert and adding "-days 365" (for example) to the relevant command line.
"""

See original description

Related branches

~bryce/ubuntu/+source/ssl-cert:ssl-cert-sru-lp1853021-hirsute
Christian Ehrhardt  (community): Approve
Paride Legovini (community): Needs Information
Canonical Server: Pending requested
git-ubuntu developers: Pending requested
Diff: 161 lines (+71/-21)
3 files modified
debian/changelog (+10/-0)
debian/control (+4/-3)
make-ssl-cert (+57/-18)
Joe Stewart (joesteart)
summary: ssl-cert generate-default-snakeoil provides no way to override default
- 10 year expiration
+ 10 year expiration or reduce to 825 day expiration
Bryce Harrington (bryce)
description: updated
Revision history for this message
Bryce Harrington (bryce) wrote :

If I understand correctly, the needed fix here is to modify /usr/sbin/make-ssl-cert to add a --expiration-days=N option that passes the value to the -days arg in the last invocation of `openssl req`, maybe similar to what I've sketched in the attached (completely untested) patch?

Bryce Harrington (bryce)
Changed in ssl-cert (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
tags: added: bitesize
tags: added: server-next
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Bryce Harrington (bryce)
description: updated
Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

The link at [1] does not talk about self-signed certificates at all, only about DV and OV certificates. I agree that make-ssl-cert should have an option for the life time of the generated certificate, but I don't think that 825 days should be the default for 'generate-default-snakeoil'. If you have an official certificate, you don't have to do anything on the clients to make it trusted, but for a self-signed certificate, you have to distribute the certificate manually. Having to do this every 2.5 years seems excessive.

[1] https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ssl-cert - 1.1.0

---------------
ssl-cert (1.1.0) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Remove obsolete openssl-blacklist suggests.
  * Add some autopkgtests. LP: #1679405
  * Create correct hash symlink. LP: #1324897
  * Automatically re-create the default snakeoil certificate if its key
    length is below 2048 bits or if the signature algorithm is not sha256.
    Closes: #924881

  [ Bryce Harrington ]
  * Refactor make-ssl-cert a bit, add usage message.
  * Add --expiration-days option. LP: #1853021

 -- Stefan Fritsch <email address hidden> Mon, 28 Dec 2020 15:20:52 +0100

Changed in ssl-cert (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.