On Thu, 24 Apr 2014, Florian Weimer wrote:
I'm working on advice on automated X.509 certificate generation during package installation.
I would strongly recommend doing it on first service start. I've lived through the FreeS/WAN times and my experience with it for 15+ years caused us (in libreswan) to completely refrain from geenrating raw RSA keys or certificates. (But we don't need to do OE/anon TLS) Entropy was always a big issue. Even doing it automatically on first service start was problematic, as people would regularly kill processes of the service because it took too long. One big mistake we made back in those days was that the process was not atomic, so the file listing the available keys would be half written and corrupt.
One aspect is that these files obviously have to be generated on the system during installation (or first service start) and cannot be shipped in the package. Some existing RPMs just drop files into /etc/pki/certs and /etc/pki/tls/private, without marking them as ghost files or configuration files. (I'm not even sure if you can mark something for which no content is provided in the RPM as a configuration file.)
Those are global locations, right? While certs could go there, CAcerts should not just be dropped in there - especially not self-signed ones.
I wonder what an ideal RPM package would do in this case?
How many packages would actually perform any kind of "opportunistic encryption"? I know the mail servers prefer a selfsigned cert over no cert whatsoever, but what other applications have this issue of "better unknown certificate than plaintext" ? For example, I dont think a jabber server package should generate and use a self-signed cert. Paul (sorry, not really know the answer to your rpm question) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct