I'll play around with some workaround options on an EL5 VM. Checking OpenSSL.__version__ would be nasty, but might do the trick. Probably the cleanest (and this is relative) option is a configuration parameter to enable/disable extended attributes.
As written, if the exception fires, the function should return with only basicConstraints on CA, which is the original behavior. Thanks, -Al On Mon, Mar 28, 2011 at 8:20 AM, seth vidal <[email protected]>wrote: > On Fri, 2011-03-25 at 14:54 -0700, Al Tobey wrote: > > > https://github.com/tobert/certmaster/commit/21b55436bc7e9f154c637a4213266e67aa0b6577 > > > > > > This patch adds x509 extensions for dnsName and nsComment to > > certmaster. I've only done light testing at this point, but it seems > > to work on my Fedora 14 machine. The try/catch should allow things to > > keep working on older distros with broken x509Extension support in > > pyOpenSSL. I'll be testing on CentOS 5.3 soon, since that's my target > > platform. > > > > > > My goal is to get full mutual authentication working with rsyslog > > 4.2.2 TLS (4.2.2 is shipped with EL6). > > > > > > From openssl x509 -in /etc/pki/certmaster/xxxxxx.cert -text > > X509v3 extensions: > > X509v3 Basic Constraints: critical > > CA:FALSE > > Netscape Comment: > > Created by certmaster. > > X509v3 Subject Alternative Name: > > DNS:xxxxxx > > > > > > And openssl x509 -in /etc/pki/certmaster/ca.cert -text > > X509v3 extensions: > > X509v3 Basic Constraints: critical > > CA:TRUE > > Netscape Comment: > > Created by certmaster. > > X509v3 Subject Alternative Name: > > DNS:xxxxxx > > > > > > Thanks, > > -Al Tobey > > > > > > commit 21b55436bc7e9f154c637a4213266e67aa0b6577 > > Author: Al Tobey <[email protected]> > > Date: Fri Mar 25 14:14:57 2011 -0700 > > > > > > Add x509 extensions for dnsName and nsComment. > > > > Many utilities that could use certmaster certs follow rules laid > > out in RFC3280. At the moment I'm working on integrating rsyslog > > TLS with mutual authentication. Certmaster certs currently only > > work in "anon" mode where encryption is achieved, but no > > authentication is performed. > > > > To that end, a function _build_extension_list() is implemented in > > this patch that is now used by both create_ca() and > > create_slave_certificate() that attempts to add the extensions to > > the cert before signing. > > > > subjectKeyIdentifier will be explored in a subsequent patch. > > > > > > > > > I'm not in love with the way that error is handled. I'm more inclined to > have it fall back to NOT including the extensions if it encounters that > error. > > the problem, however, is that on rhel 5.X it doesn't throw an exception, > it segfaults, which is harder to catch. :) > > -sv > > >
_______________________________________________ Func-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/func-list
