[jira] [Commented] (PROTON-2374) Windows TLS processing rejects valid V1 X509 certificates

Tue, 13 Apr 2021 23:34:08 -0700 


    [ 
https://issues.apache.org/jira/browse/PROTON-2374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17320734#comment-17320734
 ] 

Clifford Jansen commented on PROTON-2374:
-----------------------------------------

Workaround.

If creating certificates with OpenSSL, you can force it to generate V3 
certificates even when it otherwise defaults to V1. The trick is to provide 
empty V3 data to the various commands.

For cert signing with "openssl ca" just add "-extfile empty.conf" as a command 
line argument where "empty.conf" is a zero length file.

To make the CA certificate V3 you can add an empty V3 section in its OpenSSL 
config file:

x509_extensions = my_extensions

[ my_extensions ]
 # empty.


However, I would point out that if you are going through these extra hoops, it 
is not a lot of extra work to impress your peers with full V3 certificate 
chains including usage and policy constraints.


keytool only creates V3 certs as best I can tell. Example usage for creating V3 
certificate chains is in cpp/testdata/certs/make_certs.sh

> Windows TLS processing rejects valid V1 X509 certificates
> ---------------------------------------------------------
>
>                 Key: PROTON-2374
>                 URL: https://issues.apache.org/jira/browse/PROTON-2374
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: cpp-binding, proton-c
>    Affects Versions: proton-c-0.33.0
>         Environment: Windows
>            Reporter: Clifford Jansen
>            Assignee: Clifford Jansen
>            Priority: Major
>
> Proton TLS processing for Windows rejects all Version 1 X509 certificates 
> when verifying a peer in the opening handshake.
> This is inconsistent with the Posix versions which accept Version 1 
> certificates without fuss.
> While some might argue no one should be using V1 certs these days (unless 
> needed by some ancient legacy application carefully isolated in a VPN), there 
> is no outright ban on their use. It is easy enough to end up with V1 
> certificates using OpenSSL tooling.
> In the absence of a good argument to exclude V1 certs, this should be fixed 
> and the current tests expanded to include additional certificate chains 
> containing one or more V1 certificates.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to