Skip to content

gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR#125045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
encukou merged 1 commit into from
Oct 7, 2024
Merged

gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR #125045

encukou merged 1 commit into from
Oct 7, 2024

Conversation

@encukou
Copy link
Member

@encukouencukou commented Oct 7, 2024
edited by bedevere-app bot
Loading

openssl req fails with openssl 3.2.2 because the config line

authorityKeyIdentifier = keyid:always,issuer:always

is not supported for certificate signing requests (since the issuing certificate authority is not known).

David von Oheimb, the OpenSSL dev that made the change, commented in: openssl/openssl#22966 (comment) :

This problem did not show up in older OpenSSL versions because of a bug:
the req app ignored the -extensions option unless -x505 is given,
which I fixed in openssl/openssl#16865.

(I assume -x505 is a typo for -x509.)

In our make_cert_key function:

If sign is true:

  • We don't pass -x509 to req, so in this case it should be safe to omit the -extensions argument. (Old OpenSSL ignores it, new OpenSSL fails on it.)
  • The extensions are passed to the ca call later in the function. There they take effect, and authorityKeyIdentifier is valid.

If sign is false, this commit has no effect except rearranging the CLI arguments.

@encukou
pythongh-120762: make_ssl_certs: Don't set extensions for the CSR
af9005d
`openssl req` fails with openssl 3.2.2 because the config line authorityKeyIdentifier = keyid:always,issuer:always is not supported for certificate signing requests (since the issuing certificate authority is not known). David von Oheimb, the OpenSSL dev that made the change, commented in: openssl/openssl#22966 (comment) : > This problem did not show up in older OpenSSL versions because of a bug: > the `req` app ignored the `-extensions` option unless `-x505` is given, > which I fixed in openssl/openssl#16865. (I assume `-x505` is a typo for `-x509`.) In our `make_cert_key` function: If `sign` is true: - We don't pass `-x509` to `req`, so in this case it should be safe to omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL fails on it.) - The extensions are passed to the `ca` call later in the function. There they take effect, and `authorityKeyIdentifier` is valid. If `sign` is false, this commit has no effect except rearranging the CLI arguments.
@bedevere-appbedevere-appbot mentioned this pull request Oct 7, 2024
Closed
sethmlarson
sethmlarson approved these changes Oct 7, 2024
View reviewed changes
Copy link
Contributor

@sethmlarsonsethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@encukou
Copy link
MemberAuthor

encukou commented Oct 7, 2024

Thank you!

@encukouencukou merged commit 744caa8 into python:mainOct 7, 2024
@encukouencukou deleted the make_ssl_certs-update branch October 7, 2024 15:37
@encukouencukou mentioned this pull request Oct 7, 2024
Closed
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpsheadgpsheadgpshead approved these changes

@sethmlarsonsethmlarsonsethmlarson approved these changes

Assignees

No one assigned

Labels

skip news

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@encukou@gpshead@sethmlarson