ssl certificates
Jacek Konieczny
jajcus at jajcus.net
Mon Jun 5 09:19:35 CEST 2006
On Mon, Jun 05, 2006 at 09:27:42AM +0300, Elan Ruusamäe wrote:
> various packages provide default self-signed certificates, some should, but
> don't (cups, courier-imap), and some provide expired certs (apache1, perhaps
> apache2).
>
> so here's the idea:
> let's generate the self signed certificate at build time. if we mark it
> as %config(noreplace), people using the self generated cert won't get cert
> update on upgrade and everybody will feel good.
IMHO such certificates should never be distributed/used. Rather
SSL/TLS/whatever should be disabled at all in the default instalation,
than a default, totally insecure (anybody can get the private key)
certificate being used.
Some kind of solution (at least much more secure) would be to generate a
cerificate during package installation, but that would add dependencies
and would make install process slower.
Greets,
Jacek
More information about the pld-devel-en
mailing list