www/180482: tls certificates on svn https mirrors cannot be verified
r4721 at tormail.org
r4721 at tormail.org
Thu Jul 11 21:30:00 UTC 2013
>Number: 180482
>Category: www
>Synopsis: tls certificates on svn https mirrors cannot be verified
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-www
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 11 21:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: r4721 at tormail.org
>Release:
>Organization:
>Environment:
>Description:
the ssl certificates on all https:// svn mirrors cannot be verified because they
are self signed and missing Certificate Sign extended key usage. a self signed
certificate must have this, because signing a certificate with another (even
itself) that is specified not-able-to-sign is not valid.
the certificates seem to have been made with -extensions v3_req which defaultly
does not put keyCertSign. (/etc/ssl/openssl.cnf)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
reference:
http://thread.gmane.org/gmane.comp.encryption.openssl.user/48686/focus=48701
keyUsage should have keyCertSign appended (or commented out keyUsage which then
would allow all usages)
> openssl verify -CAfile cert.pem cert.pem
cert.pem: /C=US/ST=CA/O=FreeBSD.org/OU=clusteradm/CN=svnmir.bme.FreeBSD.org
/emailAddress=clusteradm at FreeBSD.org
error 20 at 0 depth lookup:unable to get local issuer certificate
> openssl x509 -text -noout -in svn0.eu.freebsd.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:svnmir.bme.FreeBSD.org, ...
>How-To-Repeat:
> openssl req -subj /CN=test -nodes -newkey rsa:2048 -x509 -extensions v3_req \
-out cert.pem -keyout /dev/null
Generating a 2048 bit RSA private key
.........................................+++
........................................................................+++
writing new private key to '/dev/null'
-----
> openssl verify -CAfile cert.pem cert.pem
cert.pem: /CN=test
error 20 at 0 depth lookup:unable to get local issuer certificate
> openssl x509 -text -noout -in cert.pem
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
>Fix:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign
(or any custom combination of keyUsage options that include keyCertSign)
> openssl req -subj /CN=test -nodes -newkey rsa:2048 -x509 -extensions v3_req \
-out cert.pem -keyout /dev/null
Generating a 2048 bit RSA private key
..............................................+++
.........+++
writing new private key to '/dev/null'
-----
> openssl verify -CAfile cert.pem cert.pem
cert.pem: OK
> openssl x509 -text -noout -in cert.pem
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-www
mailing list