Project

General

Profile

Bug #9416

Stop shipping ssl-cert-snakeoil in the ISO

Added by intrigeri over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
05/17/2015
Due date:
% Done:

100%

Feature Branch:
bugfix/9416-no-ssl-cert-snakeoil
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

We're currently shipping /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key, that are the same for all users in a given Tails release. Not only this introduces needless variations (hence blocks #5630), but there's a risk that some package (either one we already ship, or one that we ship some day, or one that users install themselves) actually use this pair of SSL keys on the Internet, which is wrong since the private key material is public.

live-build has been deleting those file since 4.0~a20-1 with share/hooks/live/0195-remove-ssl-cert-snakeoil.hook.chroot.


Related issues

Blocks Tails - Feature #5630: Reproducible builds Resolved 09/23/2015

Associated revisions

Revision 6d899412 (diff)
Added by intrigeri over 4 years ago

Don't ship the snakeoil SSL key pair generated by ssl-cert in the ISO.

Not only this introduces needless variations between ISO images built from the
same source (hence blocks deterministic builds), but there's a risk that some
package (either one we already ship, or one that we ship some day, or one that
users install themselves) actually use this pair of SSL keys on the Internet,
which is wrong since the private key material is public.

Note that:

  • We run update-ca-certificates after deleting the snakeoil SSL certificate,
    to ensure it's not included in /etc/ssl/certs/ca-certificates.crt.
  • We make sure we delete all symlinks pointing to the SSL snakeoil certificate
    or key, because it avoids having to understand what symlinks are created
    on current Debian, and to track any future changes in this area.

Will-fix: #9416

Revision 91c2f382
Added by anonym over 4 years ago

Merge remote-tracking branch 'origin/bugfix/9416-no-ssl-cert-snakeoil' into stable

Fix-committed: #9416

History

#1 Updated by intrigeri over 4 years ago

#2 Updated by intrigeri over 4 years ago

  • Status changed from Confirmed to In Progress

Applied in changeset commit:cb24703187001f334617d84884825172197a7893.

#3 Updated by intrigeri over 4 years ago

  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/9416-no-ssl-cert-snakeoil

#4 Updated by intrigeri over 4 years ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

#5 Updated by anonym over 4 years ago

  • Assignee changed from anonym to intrigeri
  • QA Check changed from Ready for QA to Info Needed

First, wouldn't it be nice to remove the files without -f so we so changes in the names do not go unnoticed?

Next,

+    rm -f /etc/ssl/certs/$(openssl x509 -hash -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem)

On my system I also have a .0 file symlinked to ssl-cert-snakeoil.pem, as well as a file of a completely different hash. I guess it has been created after some upgrade, and likely will never happen in Tails. Or could they? The next question is then: any idea what a broken symlink would do in /etc/ssl/certs?

Normally I wouldn't bother with this I think, but I actually did something related the other day, e.g. script the removal of a file and any symlinks to it. Quickly adapted to this situation, we would get:

find /etc/ssl/certs /etc/ssl/private |
  while read f; do
    if [ "$(readlink -f "${f}")" = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] || \
       [ "$(readlink -f "${f}")" = "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
      rm "${f}" 
    fi
  done

which would replace your whole if statement. Of course, it doesn't deal with newlines in filenames, but whatever. What do you think?

#6 Updated by intrigeri over 4 years ago

  • QA Check changed from Info Needed to Dev Needed

First, wouldn't it be nice to remove the files without -f so we so changes in the names do not go unnoticed?

Absolutely.

On my system I also have a .0 file symlinked to ssl-cert-snakeoil.pem, as well as a file of a completely different hash. I guess it has been created after some upgrade, and likely will never happen in Tails.

I bet your guess is correct.

The next question is then: any idea what a broken symlink would do in /etc/ssl/certs?

No idea. Perhaps we should run update-ca-certificates after deleting the snakeoil cert, by the way: otherwise, /etc/ssl/certs/ca-certificates.crt might still include it. And then, if update-ca-certificates breaks, then the build will fail and we'll notice there's a problem to be fixed. Done locally, stay tuned.

Normally I wouldn't bother with this I think, but I actually did something related the other day, e.g. script the removal of a file and any symlinks to it. Quickly adapted to this situation, we would get:

I like it, thanks! Applied locally, will test and then reassign to you.

#7 Updated by intrigeri over 4 years ago

#8 Updated by intrigeri over 4 years ago

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Dev Needed to Ready for QA

Rebased, squashed, force-pushed (given the small size of the stable..bugfix/9416-no-ssl-cert-snakeoil diff, I figured that reviewing it will be faster than reviewing incremental changes). Works for me.

#9 Updated by anonym over 4 years ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 50 to 100

#10 Updated by anonym over 4 years ago

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:

The next question is then: any idea what a broken symlink would do in /etc/ssl/certs?

No idea. Perhaps we should run update-ca-certificates after deleting the snakeoil cert, by the way: otherwise, /etc/ssl/certs/ca-certificates.crt might still include it. And then, if update-ca-certificates breaks, then the build will fail and we'll notice there's a problem to be fixed. Done locally, stay tuned.

Yes, this makes sense.

Rebased, squashed, force-pushed (given the small size of the stable..bugfix/9416-no-ssl-cert-snakeoil diff, I figured that reviewing it will be faster than reviewing incremental changes). Works for me.

Merged!

#11 Updated by intrigeri about 4 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF