Re: Help, I broke sso.debian.org for chrome - Found reason

2017-09-06 Thread Enrico Zini
On Wed, Sep 06, 2017 at 01:36:55PM +0200, Enrico Zini wrote: > I found the reason: python-cryptography writes the certificate issuer > as UTF8 String while the CA certificate has it as Printable String. > Because of that, the subject names don't match bit-by-bit. Fixed:

Re: Help, I broke sso.debian.org for chrome - Found reason

2017-09-06 Thread Bjørn Mork
Enrico Zini writes: > On Tue, Sep 05, 2017 at 11:37:01AM +0200, Enrico Zini wrote: > >> I refactored the certificate generation code for sso.debian.org, and the >> certificates it generates now still work in Firefox but not in Chrome. > > I found the reason:

Re: Help, I broke sso.debian.org for chrome - Found reason

2017-09-06 Thread Enrico Zini
On Wed, Sep 06, 2017 at 01:36:55PM +0200, Enrico Zini wrote: > On Tue, Sep 05, 2017 at 11:37:01AM +0200, Enrico Zini wrote: > > > I refactored the certificate generation code for sso.debian.org, and the > > certificates it generates now still work in Firefox but not in Chrome. > > I found the

Re: Help, I broke sso.debian.org for chrome - Found reason

2017-09-06 Thread Enrico Zini
On Tue, Sep 05, 2017 at 11:37:01AM +0200, Enrico Zini wrote: > I refactored the certificate generation code for sso.debian.org, and the > certificates it generates now still work in Firefox but not in Chrome. I found the reason: python-cryptography writes the certificate issuer as UTF8 String

Re: Help, I broke sso.debian.org for chrome

2017-09-05 Thread Anthony DeRobertis
On Tue, Sep 05, 2017 at 02:08:38PM +0100, Ian Jackson wrote: > > FYI, Enrico, the openssl CLI tool can dump this kind of thing so you > can compare before and after. I forget the exact runes I'm afraid. openssl x509 -in <> -noout -text is probably the magic line you're looking for.

Re: Help, I broke sso.debian.org for chrome

2017-09-05 Thread Christoph Berg
Re: Enrico Zini 2017-09-05 <20170905163334.2mi5tzacykzja...@enricozini.org> > I should have managed to do it, but chrome still doesn't seem to like > it. Can you generate a new certificate and see if you still find > differences? "openssl x509 -text -noout" doesn't show any differences anymore

Re: Help, I broke sso.debian.org for chrome

2017-09-05 Thread Enrico Zini
On Tue, Sep 05, 2017 at 12:16:47PM +0200, Christoph Berg wrote: > My guess is that the new-style certificates are missing some > attributes: > > Old certificate from 2015: > > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:FALSE >

Re: Help, I broke sso.debian.org for chrome

2017-09-05 Thread Tim Rühsen
  With Best Regards, Tim On 09/05/2017 03:08 PM, Ian Jackson wrote: > Christoph Berg writes ("Re: Help, I broke sso.debian.org for chrome"): >> Re: Enrico Zini 2017-09-05 <20170905093701.xncmprl2x4so6...@enricozini.org> >>> I refactored the certificate

Re: Help, I broke sso.debian.org for chrome

2017-09-05 Thread Ian Jackson
Christoph Berg writes ("Re: Help, I broke sso.debian.org for chrome"): > Re: Enrico Zini 2017-09-05 <20170905093701.xncmprl2x4so6...@enricozini.org> > > I refactored the certificate generation code for sso.debian.org, and the > > certificates it gene

Re: Help, I broke sso.debian.org for chrome

2017-09-05 Thread Christoph Berg
Re: Enrico Zini 2017-09-05 <20170905093701.xncmprl2x4so6...@enricozini.org> > I refactored the certificate generation code for sso.debian.org, and the > certificates it generates now still work in Firefox but not in Chrome. My guess is that the new-style certificates are missing some attributes:

Help, I broke sso.debian.org for chrome

2017-09-05 Thread Enrico Zini
Hello, I refactored the certificate generation code for sso.debian.org, and the certificates it generates now still work in Firefox but not in Chrome. Steps to reproduce: 1. Back up and delete all Debian certificates in Chrome 2. Go to one of these links to generate a new one: