On Open Enterprise blog.

I wasn't going to post about this, but it seems that, for my own sanity, I must. As you might know by now, a Debian Security Advisory came out, talking about a problem that affected the OpenSSL package, not only for Debian but for its derivatives too, like Ubuntu.

My first two remarks, and probably the most important ones for my thoughts about this issue:

• If what you know about this issue is what you read on Slashdot, YOU'RE WRONG. Even the news itself is wrong, and the comments are clueless, written by people that don't know shit about what are they talking about. Worse than useless, that story on /. is disinformative.
  Average: Select ratingPoorOkayGoodGreatAwesome

Following the security problem on openssl/openssh specific to Debian (apparently, a lack of randomness in the generation of the keys for the whole OpenSSL library), it is time to renew your SSL certificates and SSH keys (a bit of cleaning). Why not turn it into the occasion to test a new certificate with the capability of answering to different names (with only one certificate and IP), as explained here?

In this post, I include a script that can generate Self-signed X509 certificates (for use with https for example) with several names for the server. This is required because the certificate exchange is made on a lower level than the protocol exchange. For example, Apache can deliver to different domain names, but only one certificate can be used because it is asked before the domain name negotiation. So aliases must be included in the certificate or warnings are printed to the user.

So here is the script. Just run it with the main name for the server in first place, and the other names after it.

Do not hesitate to change the default values in the auxiliary and mandatory openssl-conf.cnf file.