When debugging another issue, I found that my test Registrar had stopped being able to connect to my MASA. Some upgrades to Openssl, Apache meant that one of those two decided the Extended Key Usage for the client certificates had better be right.
What I found: 1) If there is no EKU, then it's all okay. 2) If there is an EKU, and it contains only cmcRA, then it is rejected. 3) If I add "clientAuth" EKU, then it works. I don't know if this is enforced in Apache (via some callback), or within OpenSSL. There are nothing logged in Apache, so I think it's autocratic actions by a minor patch level of OpenSSL, and Apache probably needs to override the behaviour. Or, it could be Apache's certificate verify callback. The lack of logging on the server is a serious problem. What does occur is that there is a TLS level response, an SSL Alert, saying that the certificate was rejected. Perhaps someone else will find this email useful. Mostly, it convinces me to never set any EKU bits. I guess, I need to set serverAuth too, now that I think about it. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
