SSL cert/key location (was: rawhide report: 20041217 changes)
Axel Thimm
Axel.Thimm at ATrpms.net
Wed Dec 22 03:30:27 UTC 2004
On Tue, Dec 21, 2004 at 09:28:28PM +0100, Enrico Scholz wrote:
> dwmw2 at infradead.org (David Woodhouse) writes:
> >> exim-4.43-3
> >> * Thu Dec 16 2004 David Woodhouse <dwmw2 at redhat.com> 4.43-3
> >> - Demonstrate SASL auth configuration in default config file
> >> - Enable TLS and provide certificate if necessary
> >> - Don't reject all GB2312 charset mail by default
> >
> > This enables TLS on incoming and outgoing mail by default -- some
> > feedback from testing would be appreciated.
>
> To repeat my arguments from bugs #141479, #143392 and #143393:
>
> * the /usr filesystem (inclusive /usr/share/ssl) can be shared between
> several hosts; when there are multiple servers, every one would use
> the same certificate. This will not work because CN must match the DNS
> name
>
> * the sharing happens in >90% of all cases over an unencrypted
> network-filesystem (NFS). So, an attacker could easily get the
> SSL key.
>
> A better place for the certificates would be somewhere under /etc.
Indeed, I always wondered why the certificates had been put under
/usr/share/ssl and by whom. The FHS had been quite strict on this from
the very beginning.
/etc seems a rather sane place. Perhaps /etc/ssl/?
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20041222/e2dc14ff/attachment.sig>
More information about the fedora-devel-list
mailing list