LILiK
/
ca_manager
5
0
Fork 0
Code Issues 0 Pull Requests 2 Releases 0 Wiki Activity
Labels Milestones
New Pull Request

#1 add default extensions for host and user role as per RFC 5280

Open
zolfa wants to merge 4 commits from rfc5280 into master
Conversation 0 Commits 4 Files Changed 1
zolfa commented 4 years ago
Owner

Description

X.509 v3 extensions keyUsage and extendedKeyUsage should be set always
according to RFC 5280 for TLS communications.

Last OpenVPN version use these extensions to enforce server and client
role, without this settings users must disable server verification.

Here also the nsCertType extension is set, even if deprecated by recent
versions of OpenVPN, for back-compatibility with older version of OpenVPN
server and client.

Testing

I did some testing with python==3.8.2 and peewee==2.10.2.
Certificate generation works as expected, but i got failure while listing cas, requests or certificates from ./ca-sheel.

(CA Manager)> ls_cas
Traceback (most recent call last):
  File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2353, in iterator
    yield self.iterate()
  File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2345, in iterate
    raise StopIteration
StopIteration

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "./ca-shell", line 20, in <module>
    CAManagerShell(ca_manager).cmdloop()
  File "/usr/lib/python3.8/cmd.py", line 138, in cmdloop
    stop = self.onecmd(line)
  File "/usr/lib/python3.8/cmd.py", line 217, in onecmd
    return func(arg)
  File "/home/lorenzo/Repos/ca_manager/ca_manager/shell.py", line 30, in do_ls_cas
    for i, authority in enumerate(self.ca_manager.ca):
RuntimeError: generator raised StopIteration

I fear this could because of some incompatibility between older peewee (version 3 is excluded by the requirement peewee<3 as it doesn't contain extension gfk) and newer Python.

# Description X.509 v3 extensions `keyUsage` and `extendedKeyUsage` should be set always according to [RFC 5280] for TLS communications. Last OpenVPN version use these extensions to enforce server and client role, without this settings users must disable server verification. Here also the `nsCertType` extension is set, even if deprecated by recent versions of OpenVPN, for back-compatibility with older version of OpenVPN server and client. # Testing I did some testing with `python==3.8.2` and `peewee==2.10.2`. Certificate generation works as expected, but i got failure while listing cas, requests or certificates from `./ca-sheel`. ``` (CA Manager)> ls_cas Traceback (most recent call last): File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2353, in iterator yield self.iterate() File "/home/lorenzo/.local/lib/python3.8/site-packages/peewee.py", line 2345, in iterate raise StopIteration StopIteration The above exception was the direct cause of the following exception: Traceback (most recent call last): File "./ca-shell", line 20, in <module> CAManagerShell(ca_manager).cmdloop() File "/usr/lib/python3.8/cmd.py", line 138, in cmdloop stop = self.onecmd(line) File "/usr/lib/python3.8/cmd.py", line 217, in onecmd return func(arg) File "/home/lorenzo/Repos/ca_manager/ca_manager/shell.py", line 30, in do_ls_cas for i, authority in enumerate(self.ca_manager.ca): RuntimeError: generator raised StopIteration ``` I fear this could because of some incompatibility between older peewee (version 3 is excluded by the requirement `peewee<3` as it doesn't contain extension `gfk`) and newer Python. [RFC 5280]: https://tools.ietf.org/html/rfc5280
zolfa added the
enhancement
label 4 years ago
zolfa added this to the lilik-2020-prod milestone 4 years ago
This pull request can be merged automatically.
You are not authorized to merge this pull request.
Sign in to join this conversation.
Reviewers
Request review
No reviewers
Labels
Apply labels
Clear labels
bug
Something is not working duplicate
This issue or pull request already exists enhancement
New feature help wanted
Need some help invalid
Something is wrong question
More information is needed wontfix
This won't be fixed
No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Set milestone
Clear milestone
No items
No Milestone
lilik-2020-prod
Assignees
Assign users
Clear assignees
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This pull request currently doesn't have any dependencies.

Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch 'rfc5280'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes