Bug #9416

Stop shipping ssl-cert-snakeoil in the ISO

Added by intrigeri 2015-05-17 10:05:04 . Updated 2015-07-03 03:38:35 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2015-05-17
Due date:
% Done:

100%

Feature Branch:
bugfix/9416-no-ssl-cert-snakeoil
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

We’re currently shipping /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key, that are the same for all users in a given Tails release. Not only this introduces needless variations (hence blocks Feature #5630), but there’s a risk that some package (either one we already ship, or one that we ship some day, or one that users install themselves) actually use this pair of SSL keys on the Internet, which is wrong since the private key material is public.

live-build has been deleting those file since 4.0~a20-1 with share/hooks/live/0195-remove-ssl-cert-snakeoil.hook.chroot.


Subtasks


Related issues

Blocks Tails - Feature #5630: Reproducible builds Resolved 2015-09-23

History

#1 Updated by intrigeri 2015-05-17 10:05:21

#2 Updated by intrigeri 2015-05-17 10:26:42

  • Status changed from Confirmed to In Progress

Applied in changeset commit:cb24703187001f334617d84884825172197a7893.

#3 Updated by intrigeri 2015-05-17 10:29:38

  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/9416-no-ssl-cert-snakeoil

#4 Updated by intrigeri 2015-05-20 06:42:55

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

#5 Updated by anonym 2015-05-27 10:59:28

  • Assignee changed from anonym to intrigeri
  • QA Check changed from Ready for QA to Info Needed

First, wouldn’t it be nice to remove the files without -f so we so changes in the names do not go unnoticed?

Next,

+    rm -f /etc/ssl/certs/$(openssl x509 -hash -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem)


On my system I also have a .0 file symlinked to ssl-cert-snakeoil.pem, as well as a file of a completely different hash. I guess it has been created after some upgrade, and likely will never happen in Tails. Or could they? The next question is then: any idea what a broken symlink would do in /etc/ssl/certs?

Normally I wouldn’t bother with this I think, but I actually did something related the other day, e.g. script the removal of a file and any symlinks to it. Quickly adapted to this situation, we would get:

find /etc/ssl/certs /etc/ssl/private |
  while read f; do
    if [ "$(readlink -f "${f}")" = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] || \
       [ "$(readlink -f "${f}")" = "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
      rm "${f}"
    fi
  done


which would replace your whole if statement. Of course, it doesn’t deal with newlines in filenames, but whatever. What do you think?

#6 Updated by intrigeri 2015-05-28 09:25:04

  • QA Check changed from Info Needed to Dev Needed

> First, wouldn’t it be nice to remove the files without -f so we so changes in the names do not go unnoticed?

Absolutely.

> On my system I also have a .0 file symlinked to ssl-cert-snakeoil.pem, as well as a file of a completely different hash. I guess it has been created after some upgrade, and likely will never happen in Tails.

I bet your guess is correct.

> The next question is then: any idea what a broken symlink would do in /etc/ssl/certs?

No idea. Perhaps we should run update-ca-certificates after deleting the snakeoil cert, by the way: otherwise, /etc/ssl/certs/ca-certificates.crt might still include it. And then, if update-ca-certificates breaks, then the build will fail and we’ll notice there’s a problem to be fixed. Done locally, stay tuned.

> Normally I wouldn’t bother with this I think, but I actually did something related the other day, e.g. script the removal of a file and any symlinks to it. Quickly adapted to this situation, we would get:

I like it, thanks! Applied locally, will test and then reassign to you.

#7 Updated by intrigeri 2015-05-28 10:05:49

Applied in changeset commit:6d8994128bd9017b818119271df6ebcabcc95cb2.

#8 Updated by intrigeri 2015-05-28 10:07:13

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Dev Needed to Ready for QA

Rebased, squashed, force-pushed (given the small size of the stable..bugfix/9416-no-ssl-cert-snakeoil diff, I figured that reviewing it will be faster than reviewing incremental changes). Works for me.

#9 Updated by anonym 2015-05-28 13:05:32

  • Status changed from In Progress to Fix committed
  • % Done changed from 50 to 100

Applied in changeset commit:91c2f3822a2e47f7d429687e9a66426d28deece3.

#10 Updated by anonym 2015-05-28 13:06:15

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:
> > The next question is then: any idea what a broken symlink would do in /etc/ssl/certs?
>
> No idea. Perhaps we should run update-ca-certificates after deleting the snakeoil cert, by the way: otherwise, /etc/ssl/certs/ca-certificates.crt might still include it. And then, if update-ca-certificates breaks, then the build will fail and we’ll notice there’s a problem to be fixed. Done locally, stay tuned.

Yes, this makes sense.

> Rebased, squashed, force-pushed (given the small size of the stable..bugfix/9416-no-ssl-cert-snakeoil diff, I figured that reviewing it will be faster than reviewing incremental changes). Works for me.

Merged!

#11 Updated by intrigeri 2015-07-03 03:38:35

  • Status changed from Fix committed to Resolved