On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> The attached patch fixes
> https://fedorahosted.org/freeipa/ticket/4970.
> 
> Note that the problem is addressed by adding the appropriate request
> extension to the CSR; the fix does not involve changing the default
> profile behaviour, which is complicated (see ticket for details).

Thanks for the patch! This is something we should really fix, I already get
warnings in my Python scripts when I hit sites protected by such HTTPS cert:

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
SubjectAltNameWarning: Certificate for projects.engineering.redhat.com has no
`subjectAltName`, falling back to check for a `commonName` for now. This
feature is being removed by major browsers and deprecated by RFC 2818. (See
https://github.com/shazow/urllib3/issues/497 for details.)

Should we split ticket 4970, for the FreeIPA server part and then for cert
profile part? As it looks like the FreeIPA server will be fixed even in FreeIPA
4.3.x and the other part later.

How difficult do you see the general FreeIPA Certificate Profile part of this
request? Is it a too big task to handle in 4.4 time frame?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to