Automatically generated configuration files

Paul Wouters paul at nohats.ca
Thu Apr 24 14:20:12 UTC 2014


On Thu, 24 Apr 2014, Florian Weimer wrote:

> I'm working on advice on automated X.509 certificate generation during 
> package installation.

I would strongly recommend doing it on first service start. I've lived
through the FreeS/WAN times and my experience with it for 15+ years
caused us (in libreswan) to completely refrain from geenrating raw RSA
keys or certificates. (But we don't need to do OE/anon TLS)

Entropy was always a big issue. Even doing it automatically on first
service start was problematic, as people would regularly kill processes
of the service because it took too long. One big mistake we made back
in those days was that the process was not atomic, so the file listing
the available keys would be half written and corrupt.

> One aspect is that these files obviously have to be generated on the system 
> during installation (or first service start) and cannot be shipped in the 
> package.  Some existing RPMs just drop files into /etc/pki/certs and 
> /etc/pki/tls/private, without marking them as ghost files or configuration 
> files.  (I'm not even sure if you can mark something for which no content is 
> provided in the RPM as a configuration file.)

Those are global locations, right? While certs could go there, CAcerts
should not just be dropped in there - especially not self-signed ones.

> I wonder what an ideal RPM package would do in this case?

How many packages would actually perform any kind of "opportunistic
encryption"? I know the mail servers prefer a selfsigned cert over no
cert whatsoever, but what other applications have this issue of "better
unknown certificate than plaintext" ?

For example, I dont think a jabber server package should generate and
use a self-signed cert.

Paul
(sorry, not really know the answer to your rpm question)


More information about the devel mailing list