Date: Thu, 11 Jul 2013 21:24:16 GMT From: "r4721@tormail.org" <r4721@tormail.org> To: freebsd-gnats-submit@FreeBSD.org Subject: www/180482: tls certificates on svn https mirrors cannot be verified Message-ID: <201307112124.r6BLOGQU026895@oldred.freebsd.org> Resent-Message-ID: <201307112130.r6BLU0wT090547@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 180482 >Category: www >Synopsis: tls certificates on svn https mirrors cannot be verified >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-www >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jul 11 21:30:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: r4721@tormail.org >Release: >Organization: >Environment: >Description: the ssl certificates on all https:// svn mirrors cannot be verified because they are self signed and missing Certificate Sign extended key usage. a self signed certificate must have this, because signing a certificate with another (even itself) that is specified not-able-to-sign is not valid. the certificates seem to have been made with -extensions v3_req which defaultly does not put keyCertSign. (/etc/ssl/openssl.cnf) [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment reference: http://thread.gmane.org/gmane.comp.encryption.openssl.user/48686/focus=48701 keyUsage should have keyCertSign appended (or commented out keyUsage which then would allow all usages) > openssl verify -CAfile cert.pem cert.pem cert.pem: /C=US/ST=CA/O=FreeBSD.org/OU=clusteradm/CN=svnmir.bme.FreeBSD.org /emailAddress=clusteradm@FreeBSD.org error 20 at 0 depth lookup:unable to get local issuer certificate > openssl x509 -text -noout -in svn0.eu.freebsd.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:svnmir.bme.FreeBSD.org, ... >How-To-Repeat: > openssl req -subj /CN=test -nodes -newkey rsa:2048 -x509 -extensions v3_req \ -out cert.pem -keyout /dev/null Generating a 2048 bit RSA private key .........................................+++ ........................................................................+++ writing new private key to '/dev/null' ----- > openssl verify -CAfile cert.pem cert.pem cert.pem: /CN=test error 20 at 0 depth lookup:unable to get local issuer certificate > openssl x509 -text -noout -in cert.pem X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment >Fix: [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign (or any custom combination of keyUsage options that include keyCertSign) > openssl req -subj /CN=test -nodes -newkey rsa:2048 -x509 -extensions v3_req \ -out cert.pem -keyout /dev/null Generating a 2048 bit RSA private key ..............................................+++ .........+++ writing new private key to '/dev/null' ----- > openssl verify -CAfile cert.pem cert.pem cert.pem: OK > openssl x509 -text -noout -in cert.pem X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307112124.r6BLOGQU026895>