X.509 v3 extensions keyUsage and extendedKeyUsage should be set always
according to RFC 5280 for TLS communications.
Last OpenVPN version use these extensions to enforce server and client
role, without this settings users must disable server verification.
Here also the nsCertType extension is set, even if deprecated by recent
versions of OpenVPN, for back-compatibility with older version of OpenVPN
server and client.
Testing
I did some testing with python==3.8.2 and peewee==2.10.2.
Certificate generation works as expected, but i got failure while listing cas, requests or certificates from ./ca-sheel.
(CA Manager)> ls_cas
Traceback (most recent call last):
File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2353, in iterator
yield self.iterate()
File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2345, in iterate
raise StopIteration
StopIteration
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "./ca-shell", line 20, in <module>
CAManagerShell(ca_manager).cmdloop()
File "/usr/lib/python3.8/cmd.py", line 138, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python3.8/cmd.py", line 217, in onecmd
return func(arg)
File "/home/lorenzo/Repos/ca_manager/ca_manager/shell.py", line 30, in do_ls_cas
for i, authority in enumerate(self.ca_manager.ca):
RuntimeError: generator raised StopIteration
I fear this could because of some incompatibility between older peewee (version 3 is excluded by the requirement peewee<3 as it doesn't contain extension gfk) and newer Python.
# Description
X.509 v3 extensions `keyUsage` and `extendedKeyUsage` should be set always
according to [RFC 5280] for TLS communications.
Last OpenVPN version use these extensions to enforce server and client
role, without this settings users must disable server verification.
Here also the `nsCertType` extension is set, even if deprecated by recent
versions of OpenVPN, for back-compatibility with older version of OpenVPN
server and client.
# Testing
I did some testing with `python==3.8.2` and `peewee==2.10.2`.
Certificate generation works as expected, but i got failure while listing cas, requests or certificates from `./ca-sheel`.
```
(CA Manager)> ls_cas
Traceback (most recent call last):
File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2353, in iterator
yield self.iterate()
File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2345, in iterate
raise StopIteration
StopIteration
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "./ca-shell", line 20, in <module>
CAManagerShell(ca_manager).cmdloop()
File "/usr/lib/python3.8/cmd.py", line 138, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python3.8/cmd.py", line 217, in onecmd
return func(arg)
File "/home/lorenzo/Repos/ca_manager/ca_manager/shell.py", line 30, in do_ls_cas
for i, authority in enumerate(self.ca_manager.ca):
RuntimeError: generator raised StopIteration
```
I fear this could because of some incompatibility between older peewee (version 3 is excluded by the requirement `peewee<3` as it doesn't contain extension `gfk`) and newer Python.
[RFC 5280]: https://tools.ietf.org/html/rfc5280
Description
X.509 v3 extensions
keyUsage
andextendedKeyUsage
should be set alwaysaccording to RFC 5280 for TLS communications.
Last OpenVPN version use these extensions to enforce server and client
role, without this settings users must disable server verification.
Here also the
nsCertType
extension is set, even if deprecated by recentversions of OpenVPN, for back-compatibility with older version of OpenVPN
server and client.
Testing
I did some testing with
python==3.8.2
andpeewee==2.10.2
.Certificate generation works as expected, but i got failure while listing cas, requests or certificates from
./ca-sheel
.I fear this could because of some incompatibility between older peewee (version 3 is excluded by the requirement
peewee<3
as it doesn't contain extensiongfk
) and newer Python.