[opensuse-security] openssl upgrade clobbers local certificates
I just wanted to warn other users that if you have installed local .crt certificates in /etc/ssl/certs then the recent openssl upgrade will remove the essential links which activates them. So, before upgrade: # ls -l | grep -i educat lrwxrwxrwx 1 root root 27 Nov 19 10:04 7ffb3ace.0 -> CyberTrustEducationalCA.crt -rw-r--r-- 1 root root 1537 Jan 17 2008 CyberTrustEducationalCA.crt after upgrade: # ls -l | grep -i educat -rw-r--r-- 1 root root 1537 Jan 17 2008 CyberTrustEducationalCA.crt The culprit is /usr/bin/c_rehash which removes all the existing symbolic links but only reinstates the ones pointing to .pem files. Regards, Bob ============================================================== Bob Vickers Dept of Computer Science, Royal Holloway, University of London -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, Nov 20, 2009 at 10:31:34AM +0000, Bob Vickers wrote:
I just wanted to warn other users that if you have installed local .crt certificates in /etc/ssl/certs then the recent openssl upgrade will remove the essential links which activates them.
So, before upgrade:
# ls -l | grep -i educat lrwxrwxrwx 1 root root 27 Nov 19 10:04 7ffb3ace.0 -> CyberTrustEducationalCA.crt -rw-r--r-- 1 root root 1537 Jan 17 2008 CyberTrustEducationalCA.crt
after upgrade: # ls -l | grep -i educat -rw-r--r-- 1 root root 1537 Jan 17 2008 CyberTrustEducationalCA.crt
The culprit is /usr/bin/c_rehash which removes all the existing symbolic links but only reinstates the ones pointing to .pem files.
Please open a bug report if not already done. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Bob Vickers wrote:
I just wanted to warn other users that if you have installed local .crt certificates in /etc/ssl/certs then the recent openssl upgrade will remove the essential links which activates them.
So, before upgrade:
# ls -l | grep -i educat lrwxrwxrwx 1 root root 27 Nov 19 10:04 7ffb3ace.0 -> CyberTrustEducationalCA.crt -rw-r--r-- 1 root root 1537 Jan 17 2008 CyberTrustEducationalCA.crt
after upgrade: # ls -l | grep -i educat -rw-r--r-- 1 root root 1537 Jan 17 2008 CyberTrustEducationalCA.crt
The culprit is /usr/bin/c_rehash which removes all the existing symbolic links but only reinstates the ones pointing to .pem files.
Who said you can drop arbitrary files in there and expect them to work? How did the link to the .crt file get there in the first place? I guess you created it manually. Just call the file CyberTrustEducationalCA.pem to avoid the trouble. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, 20 Nov 2009, Ludwig Nussel wrote:
Bob Vickers wrote:
I just wanted to warn other users that if you have installed local .crt certificates in /etc/ssl/certs then the recent openssl upgrade will remove the essential links which activates them.
... ...
Who said you can drop arbitrary files in there and expect them to work? How did the link to the .crt file get there in the first place? I guess you created it manually. Just call the file CyberTrustEducationalCA.pem to avoid the trouble.
Yes, thanks, renaming it solves the problem. I can't remember why I created it as a crt file originally. I know I struggled to find good documentation and did what system administrators usually do and googled around and followed the most coherent advice I could find. It worked perfectly until I applied a security update. So that's why I sent the message, to warn any other sys admins who might have done the same, because the consequences are nasty until you discover what has gone wrong. Regards, Bob -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Bob Vickers -
Ludwig Nussel -
Marcus Meissner