Package: python-netlib
Version: 0.10-1
Tags: patch
Control: affects -1 mitmproxy
Usertags: serious
The netlib.certutils.dummy_ca() generates certificates with the
"Netscape Cert Type" extension, marked as critical. Unfortunately,
support for this extension was dropped[0] in Iceweasel 31. As a
consequence, mitmproxy users get an error like this:
An error occurred during a connection to www.example.com.
Certificate contains unknown critical extension.
(Error code: sec_error_unknown_critical_extension)
The attached patch fixed the problem for me. (Although of course, I had
to regenerate the certificates, and reinstall them in the browser...)
[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1009161
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-netlib depends on:
ii python 2.7.6-2
ii python-openssl 0.13.1-2+b1
ii python-pyasn1 0.1.7-1
--
Jakub Wilk
--- unpacked/usr/share/pyshared/netlib/certutils.py 2014-02-10 13:54:04.000000000 +0100
+++ /usr/share/pyshared/netlib/certutils.py 2014-06-28 16:46:00.240946000 +0200
@@ -24,8 +24,6 @@
ca.add_extensions([
OpenSSL.crypto.X509Extension("basicConstraints", True,
"CA:TRUE"),
- OpenSSL.crypto.X509Extension("nsCertType", True,
- "sslCA"),
OpenSSL.crypto.X509Extension("extendedKeyUsage", True,
"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"
),
