On Tue, Jul 19, 2016 at 02:21:05PM +0200, Martin Basti wrote: > > > On 01.07.2016 13:26, Petr Spacek wrote: > > On 20.1.2016 05:04, Fraser Tweedale wrote: > > > On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote: > > > > On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote: > > > > > Fraser Tweedale wrote: > > > > > > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: > > > > > > > On 12/07/2015 06:26 AM, Fraser Tweedale wrote: > > > > > > > > The attached patch fixes > > > > > > > > https://fedorahosted.org/freeipa/ticket/4970. > > > > > > > > > > > > > > > > Note that the problem is addressed by adding the appropriate > > > > > > > > request > > > > > > > > extension to the CSR; the fix does not involve changing the > > > > > > > > default > > > > > > > > profile behaviour, which is complicated (see ticket for > > > > > > > > details). > > > > > > > Thanks for the patch! This is something we should really fix, I > > > > > > > already get > > > > > > > warnings in my Python scripts when I hit sites protected by such > > > > > > > HTTPS cert: > > > > > > > > > > > > > > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:264: > > > > > > > SubjectAltNameWarning: Certificate for > > > > > > > projects.engineering.redhat.com has no > > > > > > > `subjectAltName`, falling back to check for a `commonName` for > > > > > > > now. This > > > > > > > feature is being removed by major browsers and deprecated by RFC > > > > > > > 2818. (See > > > > > > > https://github.com/shazow/urllib3/issues/497 for details.) > > > > > > > > > > > > > > Should we split ticket 4970, for the FreeIPA server part and then > > > > > > > for cert > > > > > > > profile part? As it looks like the FreeIPA server will be fixed > > > > > > > even in FreeIPA > > > > > > > 4.3.x and the other part later. > > > > > > > > > > > > > > How difficult do you see the general FreeIPA Certificate Profile > > > > > > > part of this > > > > > > > request? Is it a too big task to handle in 4.4 time frame? > > > > > > > > > > > > > I will split the ticket and would suggest 4.4 Backlog - it might be > > > > > > doable but is a lower priority than e.g. Sub-CAs. > > > > > If you are going to defer the profile part then you should probably > > > > > update the client to also include a SAN if --request-cert is provided. > > > > > > > > > > rob > > > > > > > > > Yes, good idea. Updated patch attached. > > > > > > > > Cheers, > > > > Fraser > > > Bump, with rebased patch. > > Hi, > > > > this seems to work for Apache on IPA server & client cert. ACK. > Pushed to master: b12db924143cd6828c596c0b8a261325f3f589f3 > > > > > Interestingly enough I found out that Dogtag cert used on port 8443 does not > > have any SAN. > > > > Is it in scope of this ticket? > I will leave the ticket open until this is answered. > It's in scope. Also in scope is to make default profile automatically add SAN dNSName if none is supplied.
Thanks, Fraser > Martin^2 > > > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
