Differences between revisions 28 and 29
Revision 28 as of 2017-04-15 14:01:42
Size: 5990
Editor: RalfTreinen
Comment: users: + dose
Revision 29 as of 2017-04-15 14:57:14
Size: 5991
Editor: PaulWise
Comment: typo
Deletions are marked like this. Additions are marked like this.
Line 155: Line 155:
if os.path.isdir(bundle): if os.path.exists(bundle):

Machines administered by DSA have a custom setup for SSL verification that was announced in 2015.

By default, DSA-administered machines do not trust any CA certs and only contain SSL certs for debian.org services.

Some software is unable to verify debian.org service certs without the CA cert being present and trusted. For such software, DSA has provided /etc/ssl/ca-debian as a workaround. Please file bugs on any software that needs the workaround, using these usertags: 

User: debian-admin@lists.debian.org
Usertags: needed-by-DSA-Team ssl

Some services need to verify the SSL certs of arbitrary services on the Internet that could change their SSL provider at any point in time. For such software, DSA has provided /etc/ssl/ca-global, which contains all the certs trusted by ca-certificates.

Contents

  1. /etc/ssl/certs
  2. /etc/ssl/ca-debian
    1. apt
    2. curl
    3. wget
    4. lynx
    5. git
    6. LWP
    7. php
    8. python-requests
    9. python-urllib
    10. python-httlib2
    11. rt-mailgate
    12. python-ldap / libldap
    13. users
  3. /etc/ssl/ca-global
    1. users

/etc/ssl/certs

wget in wheezy (but not jessie and later) is known to work with the debian.org service certs present in /etc/ssl/certs on debian.org machines.

/etc/ssl/ca-debian

The following software is unable to verify service certs without the CA cert being present and trusted. Known workarounds for these issues are available below, please add any more that are needed. If your service needs to add one of these workarounds, please mention it in the users section below.

apt

apt from Debian jessie requires the bundle rather than the directory: 

Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/ca-debian/ca-certificates.crt";

apt from Debian wheezy should be able to use the service cert directly: 

Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt";

curl

dir=/etc/ssl/ca-debian
test -d $dir && capath="--capath $dir"
curl $capath

or 

dir=/etc/ssl/ca-debian
test -d $dir && export CURL_CA_BUNDLE="$dir"
curl

wget

dir=/etc/ssl/ca-debian
test -d $dir && capath="--ca-directory=$dir"
wget $capath

lynx

dir=/etc/ssl/ca-debian
test -d $dir && export SSL_CERT_DIR="$dir"
lynx

git

git from Debian jessie requires the bundle rather than the dir: 

# Or /etc/ssl/ca-global for external repositories
dir=/etc/ssl/ca-debian
test -d $dir && git config --local --add http.sslCAInfo $dir/ca-certificates.crt

For an initial clone: 

dir=/etc/ssl/ca-debian
test -d $dir && git -c http.sslCAInfo=$dir/ca-certificates.crt clone <URL>

and then also set the config persistently like above.

git from Debian wheezy should be able to use the service cert directly.

LWP

my $ca_dir = '/etc/ssl/ca-debian';
$ENV{PERL_LWP_SSL_CA_PATH} = $ca_dir if -d $ca_dir;

php

A stream context needs to be created defining the additional cert information. Various APIs can then consume that context. For example: 

$capath = '/etc/ssl/ca-debian';
if (is_dir($capath)) {
    $context = stream_context_create(array('ssl' => array('capath' => $capath)));
    libxml_set_streams_context($context);
}
$xml = simplexml_load_file(…);

python-requests

bundle='/etc/ssl/ca-debian/ca-certificates.crt'
if os.path.exists(bundle):
  requests.get('https://www.debian.org/', verify=bundle)
else:
  requests.get('https://www.debian.org/')

Or in the shell wrapper for the Python script: 

dir=/etc/ssl/ca-debian
test -d $dir && REQUESTS_CA_BUNDLE=$dir/ca-certificates.crt

python-urllib

urllib in jessie and later verifies SSL certificates. 

ca_path = '/etc/ssl/ca-debian'
if os.path.isdir(ca_path):
  context = ssl.create_default_context(capath=ca_path)
  data_file = urllib.urlopen("https://www.debian.org/", context=context)
else:
  data_file = urllib.urlopen("https://www.debian.org/")
data = data_file.read()

python-httlib2

This enables a per-connection workaround: 

bundle = '/etc/ssl/ca-debian/ca-certificates.crt'
ca_certs = bundle if os.path.exists(bundle) else None
h = Http(ca_certs=ca_certs)

This enables a global workaround for the issue and thus will only be suitable in some circumstances and might not always be supported: 

bundle = '/etc/ssl/ca-debian/ca-certificates.crt'
if os.path.exists(bundle):
  httplib2.CA_CERTS = bundle

rt-mailgate

rt-mailgate requires the bundle rather than the dir: 

dir=/etc/ssl/ca-debian
test -d $dir && cafile="--ca-file $dir/ca-certificates.crt "
/usr/bin/rt-mailgate ... $cafile

python-ldap / libldap

Using service certificates no longer works in jessie. The workaround is to use the CA certificate bundle: 

ca_cert_file = "/etc/ssl/ca-debian/ca-certificates.crt"
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) (global)
or
connection.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) (per connection)

users

  • buildd apt
  • rt-mailgate
  • nagios dsa-check-mirrorsync
  • PTS (update_incoming.sh, BTS SOAP calls)
  • the l10n stuff
  • vote stuff
  • webwml (english/mirror/arch_size.pl, english/devel/wnpp/wnpp.pl)
  • debwww cron (parts/1listscfg parts/1pseudo-packages)
  • contributors.d.o submitters: wiki, ftp-master, nm, spamreview

  • derivs census

  • dak

  • qa.d.o (lots)
  • dose (cronjob on qa.d.o)

/etc/ssl/ca-global

If your service needs this directory, you can adapt the ca-debian workarounds for this purpose and please mention your service in the users section below.

users

  • PTS update_incoming.sh downloader
  • qa.d.o (vcswatch, data/cronjobs/ddpo.ci, data/cronjobs/ddpo.reproducible)
  • webwml
  • ieee-data
  • rtc stuff
  • secteam nvd download

  • derivs census

  • dep11-generator (AppStream data extractor)