On Tue, Dec 08, 2015 at 09:00:20AM +0100, Martin Kosek wrote:
> On 12/08/2015 02:22 AM, Fraser Tweedale wrote:
> > On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote:
> >> On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote:
> >>> On 12/07/2015 06:26 AM, Fraser Tweedale wrote:
> >>>> The attached patch fixes
> >>>> https://fedorahosted.org/freeipa/ticket/4970.
> >>>>
> >>>> Note that the problem is addressed by adding the appropriate request
> >>>> extension to the CSR; the fix does not involve changing the default
> >>>> profile behaviour, which is complicated (see ticket for details).
> >>>
> >>> Thanks for the patch! This is something we should really fix, I already 
> >>> get
> >>> warnings in my Python scripts when I hit sites protected by such HTTPS 
> >>> cert:
> >>>
> >>> /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264:
> >>> SubjectAltNameWarning: Certificate for projects.engineering.redhat.com 
> >>> has no
> >>> `subjectAltName`, falling back to check for a `commonName` for now. This
> >>> feature is being removed by major browsers and deprecated by RFC 2818. 
> >>> (See
> >>> https://github.com/shazow/urllib3/issues/497 for details.)
> >>>
> >>> Should we split ticket 4970, for the FreeIPA server part and then for cert
> >>> profile part? As it looks like the FreeIPA server will be fixed even in 
> >>> FreeIPA
> >>> 4.3.x and the other part later.
> >>>
> >>> How difficult do you see the general FreeIPA Certificate Profile part of 
> >>> this
> >>> request? Is it a too big task to handle in 4.4 time frame?
> >>>
> >> I will split the ticket and would suggest 4.4 Backlog - it might be
> >> doable but is a lower priority than e.g. Sub-CAs.
> >>
> > PKI ticket: https://fedorahosted.org/pki/ticket/1710
> > IPA tracker: https://fedorahosted.org/freeipa/ticket/5523
> 
> Thanks. I updated the ticket and added more information. I increased priority
> as I do not want us to overlook it, as it has potential to break FreeIPA
> certificates when the major browsers remove support for such certificates. 
> Right?
>
Yes.  With my (updated) patch the IPA HTTP/LDAP certs issued during
ipa-server-install or ipa-replica-prepare and IPA client host certs
issued during ipa-client-install will be OK.  But for service and
host certs issued due to user requests this is the case.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to