ssl certificates

Jacek Konieczny jajcus at jajcus.net
Mon Jun 5 09:19:35 CEST 2006


On Mon, Jun 05, 2006 at 09:27:42AM +0300, Elan Ruusamäe wrote:
> various packages provide default self-signed certificates, some should, but 
> don't (cups, courier-imap), and some provide expired certs (apache1, perhaps 
> apache2).
> 
> so here's the idea:
> let's generate the self signed certificate at build time. if we mark it 
> as %config(noreplace), people using the self generated cert won't get cert 
> update on upgrade and everybody will feel good.

IMHO such certificates should never be distributed/used. Rather
SSL/TLS/whatever should be disabled at all in the default instalation,
than a default, totally insecure (anybody can get the private key)
certificate being used.

Some kind of solution (at least much more secure) would be to generate a
cerificate during package installation, but that would add dependencies
and would make install process slower.

Greets,
        Jacek


More information about the pld-devel-en mailing list