Re: PATCH: Add x509Extensions to cacert and slave certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'll play around with some workaround options on an EL5 VM. Checking OpenSSL.__version__ would be nasty, but might do the trick. Probably the cleanest (and this is relative) option is a configuration parameter to enable/disable extended attributes.

As written, if the exception fires, the function should return with only basicConstraints on CA, which is the original behavior.

Thanks,
-Al

On Mon, Mar 28, 2011 at 8:20 AM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote:
On Fri, 2011-03-25 at 14:54 -0700, Al Tobey wrote:
> https://github.com/tobert/certmaster/commit/21b55436bc7e9f154c637a4213266e67aa0b6577
>
>
> This patch adds x509 extensions for dnsName and nsComment to
> certmaster. I've only done light testing at this point, but it seems
> to work on my Fedora 14 machine. The try/catch should allow things to
> keep working on older distros with broken x509Extension support in
> pyOpenSSL. I'll be testing on CentOS 5.3 soon, since that's my target
> platform.
>
>
> My goal is to get full mutual authentication working with rsyslog
> 4.2.2 TLS (4.2.2 is shipped with EL6).
>
>
> From openssl x509 -in /etc/pki/certmaster/xxxxxx.cert -text
> Â Â Â Â X509v3 extensions:
> Â Â Â Â Â Â X509v3 Basic Constraints: critical
> Â Â Â Â Â Â Â Â CA:FALSE
> Â Â Â Â Â Â Netscape Comment:
> Â Â Â Â Â Â Â Â Created by certmaster.
> Â Â Â Â Â Â X509v3 Subject Alternative Name:
> Â Â Â Â Â Â Â Â DNS:xxxxxx
>
>
> And openssl x509 -in /etc/pki/certmaster/ca.cert -text
> Â Â Â Â X509v3 extensions:
> Â Â Â Â Â Â X509v3 Basic Constraints: critical
> Â Â Â Â Â Â Â Â CA:TRUE
> Â Â Â Â Â Â Netscape Comment:
> Â Â Â Â Â Â Â Â Created by certmaster.
> Â Â Â Â Â Â X509v3 Subject Alternative Name:
> Â Â Â Â Â Â Â Â DNS:xxxxxx
>
>
> Thanks,
> -Al Tobey
>
>
> commit 21b55436bc7e9f154c637a4213266e67aa0b6577
> Author: Al Tobey <tobert@xxxxxxxxx>
> Date: Â Fri Mar 25 14:14:57 2011 -0700
>
>
> Â Â Add x509 extensions for dnsName and nsComment.
>
> Â Â Many utilities that could use certmaster certs follow rules laid
> Â Â out in RFC3280. At the moment I'm working on integrating rsyslog
> Â Â TLS with mutual authentication. Certmaster certs currently only
> Â Â work in "anon" mode where encryption is achieved, but no
> Â Â authentication is performed.
>
> Â Â To that end, a function _build_extension_list() is implemented in
> Â Â this patch that is now used by both create_ca() and
> Â Â create_slave_certificate() that attempts to add the extensions to
> Â Â the cert before signing.
>
> Â Â subjectKeyIdentifier will be explored in a subsequent patch.
>
>
>


I'm not in love with the way that error is handled. I'm more inclined to
have it fall back to NOT including the extensions if it encounters that
error.

the problem, however, is that on rhel 5.X it doesn't throw an exception,
it segfaults, which is harder to catch. :)

-sv



_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list

[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux