Bug #9416
Stop shipping ssl-cert-snakeoil in the ISO
100%
Description
We’re currently shipping /etc/ssl/certs/ssl-cert-snakeoil.pem
and /etc/ssl/private/ssl-cert-snakeoil.key
, that are the same for all users in a given Tails release. Not only this introduces needless variations (hence blocks Feature #5630), but there’s a risk that some package (either one we already ship, or one that we ship some day, or one that users install themselves) actually use this pair of SSL keys on the Internet, which is wrong since the private key material is public.
live-build
has been deleting those file since 4.0~a20-1 with share/hooks/live/0195-remove-ssl-cert-snakeoil.hook.chroot
.
Subtasks
History
#1 Updated by intrigeri 2015-05-17 10:05:21
- blocks
Feature #5630: Reproducible builds added
#2 Updated by intrigeri 2015-05-17 10:26:42
- Status changed from Confirmed to In Progress
Applied in changeset commit:cb24703187001f334617d84884825172197a7893.
#3 Updated by intrigeri 2015-05-17 10:29:38
- % Done changed from 0 to 10
- Feature Branch set to bugfix/9416-no-ssl-cert-snakeoil
#4 Updated by intrigeri 2015-05-20 06:42:55
- Assignee changed from intrigeri to anonym
- % Done changed from 10 to 50
- QA Check set to Ready for QA
#5 Updated by anonym 2015-05-27 10:59:28
- Assignee changed from anonym to intrigeri
- QA Check changed from Ready for QA to Info Needed
First, wouldn’t it be nice to remove the files without -f
so we so changes in the names do not go unnoticed?
Next,
+ rm -f /etc/ssl/certs/$(openssl x509 -hash -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem)
On my system I also have a .0
file symlinked to ssl-cert-snakeoil.pem
, as well as a file of a completely different hash. I guess it has been created after some upgrade, and likely will never happen in Tails. Or could they? The next question is then: any idea what a broken symlink would do in /etc/ssl/certs
?
Normally I wouldn’t bother with this I think, but I actually did something related the other day, e.g. script the removal of a file and any symlinks to it. Quickly adapted to this situation, we would get:
find /etc/ssl/certs /etc/ssl/private |
while read f; do
if [ "$(readlink -f "${f}")" = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] || \
[ "$(readlink -f "${f}")" = "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
rm "${f}"
fi
done
which would replace your whole if statement. Of course, it doesn’t deal with newlines in filenames, but whatever. What do you think?
#6 Updated by intrigeri 2015-05-28 09:25:04
- QA Check changed from Info Needed to Dev Needed
> First, wouldn’t it be nice to remove the files without -f
so we so changes in the names do not go unnoticed?
Absolutely.
> On my system I also have a .0
file symlinked to ssl-cert-snakeoil.pem
, as well as a file of a completely different hash. I guess it has been created after some upgrade, and likely will never happen in Tails.
I bet your guess is correct.
> The next question is then: any idea what a broken symlink would do in /etc/ssl/certs
?
No idea. Perhaps we should run update-ca-certificates
after deleting the snakeoil cert, by the way: otherwise, /etc/ssl/certs/ca-certificates.crt
might still include it. And then, if update-ca-certificates
breaks, then the build will fail and we’ll notice there’s a problem to be fixed. Done locally, stay tuned.
> Normally I wouldn’t bother with this I think, but I actually did something related the other day, e.g. script the removal of a file and any symlinks to it. Quickly adapted to this situation, we would get:
I like it, thanks! Applied locally, will test and then reassign to you.
#7 Updated by intrigeri 2015-05-28 10:05:49
Applied in changeset commit:6d8994128bd9017b818119271df6ebcabcc95cb2.
#8 Updated by intrigeri 2015-05-28 10:07:13
- Assignee changed from intrigeri to anonym
- QA Check changed from Dev Needed to Ready for QA
Rebased, squashed, force-pushed (given the small size of the stable..bugfix/9416-no-ssl-cert-snakeoil
diff, I figured that reviewing it will be faster than reviewing incremental changes). Works for me.
#9 Updated by anonym 2015-05-28 13:05:32
- Status changed from In Progress to Fix committed
- % Done changed from 50 to 100
Applied in changeset commit:91c2f3822a2e47f7d429687e9a66426d28deece3.
#10 Updated by anonym 2015-05-28 13:06:15
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
intrigeri wrote:
> > The next question is then: any idea what a broken symlink would do in /etc/ssl/certs
?
>
> No idea. Perhaps we should run update-ca-certificates
after deleting the snakeoil cert, by the way: otherwise, /etc/ssl/certs/ca-certificates.crt
might still include it. And then, if update-ca-certificates
breaks, then the build will fail and we’ll notice there’s a problem to be fixed. Done locally, stay tuned.
Yes, this makes sense.
> Rebased, squashed, force-pushed (given the small size of the stable..bugfix/9416-no-ssl-cert-snakeoil
diff, I figured that reviewing it will be faster than reviewing incremental changes). Works for me.
Merged!
#11 Updated by intrigeri 2015-07-03 03:38:35
- Status changed from Fix committed to Resolved