As written, if the exception fires, the function should return with only basicConstraints on CA, which is the original behavior.
Thanks,
-Al
On Mon, Mar 28, 2011 at 8:20 AM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote:
I'm not in love with the way that error is handled. I'm more inclined toOn Fri, 2011-03-25 at 14:54 -0700, Al Tobey wrote:
> https://github.com/tobert/certmaster/commit/21b55436bc7e9f154c637a4213266e67aa0b6577
>
>
> This patch adds x509 extensions for dnsName and nsComment to
> certmaster. I've only done light testing at this point, but it seems
> to work on my Fedora 14 machine. The try/catch should allow things to
> keep working on older distros with broken x509Extension support in
> pyOpenSSL. I'll be testing on CentOS 5.3 soon, since that's my target
> platform.
>
>
> My goal is to get full mutual authentication working with rsyslog
> 4.2.2 TLS (4.2.2 is shipped with EL6).
>
>
> From openssl x509 -in /etc/pki/certmaster/xxxxxx.cert -text
> Â Â Â Â X509v3 extensions:
> Â Â Â Â Â Â X509v3 Basic Constraints: critical
> Â Â Â Â Â Â Â Â CA:FALSE
> Â Â Â Â Â Â Netscape Comment:
> Â Â Â Â Â Â Â Â Created by certmaster.
> Â Â Â Â Â Â X509v3 Subject Alternative Name:
> Â Â Â Â Â Â Â Â DNS:xxxxxx
>
>
> And openssl x509 -in /etc/pki/certmaster/ca.cert -text
> Â Â Â Â X509v3 extensions:
> Â Â Â Â Â Â X509v3 Basic Constraints: critical
> Â Â Â Â Â Â Â Â CA:TRUE
> Â Â Â Â Â Â Netscape Comment:
> Â Â Â Â Â Â Â Â Created by certmaster.
> Â Â Â Â Â Â X509v3 Subject Alternative Name:
> Â Â Â Â Â Â Â Â DNS:xxxxxx
>
>
> Thanks,
> -Al Tobey
>
>
> commit 21b55436bc7e9f154c637a4213266e67aa0b6577
> Author: Al Tobey <tobert@xxxxxxxxx>
> Date: Â Fri Mar 25 14:14:57 2011 -0700
>
>
> Â Â Add x509 extensions for dnsName and nsComment.
>
> Â Â Many utilities that could use certmaster certs follow rules laid
> Â Â out in RFC3280. At the moment I'm working on integrating rsyslog
> Â Â TLS with mutual authentication. Certmaster certs currently only
> Â Â work in "anon" mode where encryption is achieved, but no
> Â Â authentication is performed.
>
> Â Â To that end, a function _build_extension_list() is implemented in
> Â Â this patch that is now used by both create_ca() and
> Â Â create_slave_certificate() that attempts to add the extensions to
> Â Â the cert before signing.
>
> Â Â subjectKeyIdentifier will be explored in a subsequent patch.
>
>
>
have it fall back to NOT including the extensions if it encounters that
error.
the problem, however, is that on rhel 5.X it doesn't throw an exception,
it segfaults, which is harder to catch. :)
-sv
_______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list