Bug#862122: marked as done (unblock: ssl-cert/1.0.39)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#862122: marked as done (unblock: ssl-cert/1.0.39)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 09 May 2017 05:21:05 +0000
Message-id: <[🔎] handler.862122.D862122.14943071714230.ackdone@bugs.debian.org>
References: <129eb04c-ab68-cc80-43e2-5c32d4915d91@thykier.net> <[🔎] 149427143034.12439.15417626234762626082.reportbug@k.lan>

Your message dated Tue, 09 May 2017 05:19:00 +0000
with message-id <129eb04c-ab68-cc80-43e2-5c32d4915d91@thykier.net>
and subject line Re: Bug#862122: unblock: ssl-cert/1.0.39
has caused the Debian Bug report #862122,
regarding unblock: ssl-cert/1.0.39
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862122: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862122
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: ssl-cert/1.0.39
From: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 08 May 2017 21:23:50 +0200
Message-id: <[🔎] 149427143034.12439.15417626234762626082.reportbug@k.lan>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi release team,

Please unblock package ssl-cert

At least the current version of chrome does not accept the default
certificates generated by ssl-cert 1.0.38 anymore, because they don't
contain the host name as SubjectAltName. Therefore it makes sense to
have the new version of ssl-cert in stretch.

Debdiff is attached.

unblock ssl-cert/1.0.39

Cheers,
Stefan

diff -Nru ssl-cert-1.0.38/debian/changelog ssl-cert-1.0.39/debian/changelog
--- ssl-cert-1.0.38/debian/changelog	2016-05-29 13:44:46.000000000 +0200
+++ ssl-cert-1.0.39/debian/changelog	2017-04-28 21:58:22.000000000 +0200
@@ -1,3 +1,12 @@
+ssl-cert (1.0.39) unstable; urgency=medium
+
+  * Always put the common name also in the SubjectAltName. This is required
+    to make newer web browsers happy. Closes: #861185
+    The wording in the debconf questions will be adjusted later, to avoid
+    having to fix so many translation shortly before the release.
+
+ -- Stefan Fritsch <sf@debian.org>  Fri, 28 Apr 2017 21:58:22 +0200
+
 ssl-cert (1.0.38) unstable; urgency=medium
 
   * Update Turkish translation. Thanks to Atila KOÇ. Closes: #807559
diff -Nru ssl-cert-1.0.38/make-ssl-cert ssl-cert-1.0.39/make-ssl-cert
--- ssl-cert-1.0.38/make-ssl-cert	2016-05-29 13:39:30.000000000 +0200
+++ ssl-cert-1.0.39/make-ssl-cert	2017-04-28 21:53:33.000000000 +0200
@@ -32,8 +32,10 @@
     db_input high make-ssl-cert/altname || true
     db_go
     db_get make-ssl-cert/altname
-    AltName="$RET"
+    AddAltName="$RET"
     db_fset make-ssl-cert/altname seen false
+    SubjectAltName="DNS:$HostName"
+    [ -z "$AddAltName" ] || SubjectAltName="$SubjectAltName,$AddAltName"
 }
 
 make_snakeoil() {
@@ -44,15 +46,14 @@
         echo make-ssl-cert: 'make-ssl-cert generate-default-snakeoil --force-overwrite'
         echo make-ssl-cert: again.
     fi
+    SubjectAltName="DNS:$HostName"
     if [ ${#HostName} -gt 64 ] ; then
-        AltName="DNS:$HostName"
         HostName="$(hostname)"
     fi
 }
 
 create_temporary_cnf() {
-    sed -e s#@HostName@#"$HostName"# $template > $TMPFILE
-    [ -z "$AltName" ] || echo "subjectAltName=$AltName" >> $TMPFILE
+    sed -e s#@HostName@#"$HostName"# -e s#@SubjectAltName@#"$SubjectAltName"# $template > $TMPFILE
 }
 
 # Takes two arguments, the base layout and the output cert.
diff -Nru ssl-cert-1.0.38/ssleay.cnf ssl-cert-1.0.39/ssleay.cnf
--- ssl-cert-1.0.38/ssleay.cnf	2016-05-29 13:39:30.000000000 +0200
+++ ssl-cert-1.0.39/ssleay.cnf	2017-04-28 21:54:35.000000000 +0200
@@ -18,3 +18,4 @@
 
 [ v3_req ]
 basicConstraints        = CA:FALSE
+subjectAltName          = @SubjectAltName@

--- End Message ---

--- Begin Message ---

To: Stefan Fritsch <sf@sfritsch.de>, 862122-done@bugs.debian.org

Subject: Re: Bug#862122: unblock: ssl-cert/1.0.39

From: Niels Thykier <niels@thykier.net>

Date: Tue, 09 May 2017 05:19:00 +0000

Message-id: <129eb04c-ab68-cc80-43e2-5c32d4915d91@thykier.net>

In-reply-to: <[🔎] 149427143034.12439.15417626234762626082.reportbug@k.lan>

References: <[🔎] 149427143034.12439.15417626234762626082.reportbug@k.lan>
Stefan Fritsch:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi release team,
> 
> Please unblock package ssl-cert
> 
> At least the current version of chrome does not accept the default
> certificates generated by ssl-cert 1.0.38 anymore, because they don't
> contain the host name as SubjectAltName. Therefore it makes sense to
> have the new version of ssl-cert in stretch.
> 
> Debdiff is attached.
> 
> unblock ssl-cert/1.0.39
> 
> Cheers,
> Stefan
> 

Already unblocked and migrated.

Thanks,
~Niels
--- End Message ---

Reply to:

References:
- Bug#862122: unblock: ssl-cert/1.0.39
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Re: Upgrade from Debian 8.6 to 8.8
Next by Date: Bug#862150: unblock: lxterminal/0.3.0-1
Previous by thread: Bug#862122: unblock: ssl-cert/1.0.39
Next by thread: Upgrade from Debian 8.6 to 8.8
Index(es):
- Date
- Thread