Web lists-archives.com

Re: Help, I broke sso.debian.org for chrome




 


With Best Regards, Tim



On 09/05/2017 03:08 PM, Ian Jackson wrote:
> Christoph Berg writes ("Re: Help, I broke sso.debian.org for chrome"):
>> Re: Enrico Zini 2017-09-05 <20170905093701.xncmprl2x4so6hu4@xxxxxxxxxxxxxx>
>>> I refactored the certificate generation code for sso.debian.org, and the
>>> certificates it generates now still work in Firefox but not in Chrome.
>>
>> My guess is that the new-style certificates are missing some
>> attributes:
>>
>> Old certificate from 2015:
>>
>>         X509v3 extensions:
>>             X509v3 Basic Constraints: critical
>>                 CA:FALSE
>>             X509v3 Key Usage: critical
>>                 Digital Signature, Key Encipherment, Key Agreement
>>             X509v3 Extended Key Usage: 
>>                 TLS Web Client Authentication
> 
> This last one seems like it ought to be there.  I don't know about the
> Key Usage.
> 
> IIRC there are ways to get the openssl CLI to add specific extenstions
> but I don't know how to do that in the API Enrico is using in sso.
> 
> FYI, Enrico, the openssl CLI tool can dump this kind of thing so you
> can compare before and after.  I forget the exact runes I'm afraid.

Or GnuTLS's certtool:

certtool -i --infile tests/certs/x509-ca-cert.pem

Regards, Tim

Attachment: signature.asc
Description: OpenPGP digital signature