Subject: CAcert Code Development list.
List archive
- From: Wytze van der Raay <wytze AT cacert.org>
- To: Michael Tänzer <michael.taenzer AT cacert.org>
- Cc: "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org, Ulrich Schröter CAcert <ulrich AT cacert.org>, Dirk Astrath <dirk.astrath AT cacert.org>, Daniel Wagner <dwkwaxi AT gmail.com>, Marcus Mängel <inopiae AT cacert.org>, Kenneth Van Wyk <ken AT krvw.com>
- Subject: Re: Patch request: Bug #540
- Date: Fri, 27 Jul 2012 18:22:49 +0200
Hi Michael,
Op 25-7-2012 0:07, Michael Tänzer schreef:
> We have a fix for https://bugs.cacert.org/view.php?id=540
> "No key usage attribute in cacert org certs anymore?"
>
> The fix was reviewed by Dirk Astrath (dastrath) and me (NEOatNHNG) and
> tested by Ulrich Schröter (Uli60), Daniel Wagner (Kwaxi), Marcus Mängel
> (INOPIAE) and Kenneth Van Wyk.
>
> Diff is attached (bug-540.diff). Please also run the locale makefile so
> that our translators see the new strings (if present) on
> https://translations.cacert.org and new translations get imported into
> the system.
>
> The patch also needs to be applied to the signing server and
> additionally the changes found in the svn_bug-540.diff need to be
> applied to the openssl config files on the signer.
>
>
> Changed files:
> CommModule/server.pl
> www/policy/CertificationPracticeStatement.php
The patches have been installed on the signing server and the webdb
server as requested above, on July 27, 2012. See also the attached
log messages sent to the cacert-systemlog mailing list.
The ssl configuration files in the CAcert SVN repository have been
updated likewise.
Finally, the translations.cacert.org upload and downloads have been
performed as requested, and the Apache2 webserver has been reloaded
to activate the new strings.
Regards,
-- wytze
--- Begin Message ---Visit date & time:
- From: Wytze van der Raay <wytze AT cacert.org>
- To: cacert-systemlog AT lists.cacert.org
- Subject: [Visit BIT][27.07.2012] install software patch on signing server
- Date: Fri, 27 Jul 2012 18:08:30 +0200
27.07.2012, 17:05 - 17:20 CEST
Persons:
Stefan Kooman (Oophaga)
Mendel Mobach (CAcert)
Wytze van der Raay (CAcert)
Actions performed during this site visit:
* Synchronized time of signing server with webdb server thru timesync.sh
* Installed patches for https://bugs.cacert.org/view.php?id=540 on the
signing server while backing up old versions of all affected files.
* Restarted Commmodule process to activate the changed code.
* Verified correct operation by requesting a new server certificate
through the regular user interface and verifying the returned cert.
Follow-up actions:
* Bring the copy of the affected ssl configuration files in CAcert's svn
http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
back in sync with the new version on the signing server.
* Install the related patch for bug #540 on the webdb server.
-- end
Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening
--- End Message ---
--- Begin Message ---Fix for https://bugs.cacert.org/view.php?id=540
- From: Wytze van der Raay <wytze AT cacert.org>
- To: cacert-systemlog AT lists.cacert.org
- Subject: Fwd: [cvs.cacert.org checkin notification]
- Date: Fri, 27 Jul 2012 18:11:51 +0200
No key usage attribute in cacert org certs anymore?
Note that these patches have been preceded by installing the
associated patches on the signing server as documented in the
[Visit BIT][27.07.2012] report on the cacert-systemlog mailing list.
In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php
-- end
--- Begin Message ---
- From: "root" <root AT cvs.cacert.org>
- To: critical-admin AT cacert.org
- Subject: cvs.cacert.org checkin notification
- Date: Fri, 27 Jul 2012 18:00:23 +0200 (CEST)
uid=0(root) gid=0(root) groups=0(root)
server.pl 1.1 1.2
Fri Jul 27 18:00:22 CEST 2012
Update of /var/lib/cvs/cacert/CommModule
In directory hlin:/home/cacert/www/CommModule
Modified Files:
server.pl
Log Message:
Fix for https://bugs.cacert.org/view.php?id=540
No key usage attribute in cacert org certs anymore?
===================================================================
RCS file: /var/lib/cvs/cacert/CommModule/server.pl,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- server.pl 2010/12/13 10:58:19 1.1
+++ server.pl 2012/07/27 16:00:21 1.2
@@ -502,9 +502,28 @@
{
open OUT,">$wid/extfile";
print OUT "basicConstraints = critical, CA:FALSE\n";
+ print OUT "keyUsage = critical, digitalSignature, keyEncipherment,
keyAgreement\n";
print OUT "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n";
- print OUT "keyUsage = digitalSignature, keyEncipherment\n";
print OUT "authorityInfoAccess = OCSP;URI:$OCSPUrl\n";
+
+ my $CRLUrl="";
+ if($root==0)
+ {
+ $CRLUrl="http://crl.cacert.org/revoke.crl";
+ }
+ elsif($root==1)
+ {
+ $CRLUrl="http://crl.cacert.org/class3-revoke.crl";
+ }
+ elsif($root==2)
+ {
+ $CRLUrl="http://crl.cacert.org/class3s-revoke.crl";
+ }
+ else
+ {
+ $CRLUrl="http://crl.cacert.org/root${root}.crl";
+ }
+ print OUT "crlDistributionPoints = URI:${CRLUrl}\n";
print OUT "subjectAltName = $san\n" if(length($san));
close OUT;
$extfile=" -extfile $wid/extfile ";
--- End Message ------ Begin Message ---
- From: "root" <root AT cvs.cacert.org>
- To: critical-admin AT cacert.org
- Subject: cvs.cacert.org checkin notification
- Date: Fri, 27 Jul 2012 18:00:29 +0200 (CEST)
uid=0(root) gid=0(root) groups=0(root)
CertificationPracticeStatement.php 1.2 1.3
Fri Jul 27 18:00:29 CEST 2012
Update of /var/lib/cvs/cacert/www/policy
In directory hlin:/home/cacert/www/www/policy
Modified Files:
CertificationPracticeStatement.php
Log Message:
Fix for https://bugs.cacert.org/view.php?id=540
No key usage attribute in cacert org certs anymore?
===================================================================
RCS file: /var/lib/cvs/cacert/www/policy/CertificationPracticeStatement.php,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- CertificationPracticeStatement.php 2011/07/27 10:41:01 1.2
+++ CertificationPracticeStatement.php 2012/07/27 16:00:29 1.3
@@ -69,7 +69,7 @@
<a href="PolicyOnPolicy.html"><img src="cacert-draft.png" alt="CAcert Policy
Status" height="31" width="88" style="border-style: none;" /></a><br />
Creation date: 20060726<br />
Status: DRAFT p20091108<br />
-<!-- $Id: CertificationPracticeStatement.php,v 1.2 2011/07/27 10:41:01 wytze
Exp $ -->
+<!-- $Id: CertificationPracticeStatement.php,v 1.3 2012/07/27 16:00:29 wytze
Exp $ -->
<font size="-1">
@@ -3203,54 +3203,50 @@
<h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
<p>
-Client certificates include the following extensions:.
+ Client certificates include the following extensions:
</p>
-<ul><li>
- basicConstraints=CA:FALSE (critical)
- </li><li>
- keyUsage=digitalSignature,keyEncipherment,cRLSign
- </li><li>
- </li><li>
- extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
- </li><li>
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
- </li><li>
- subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).
-</li></ul>
+<ul>
+ <li>basicConstraints=CA:FALSE (critical)</li>
+ <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+ <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
+ <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+ <li>crlDistributionPoints=URI:<crlUri> where <crlUri> is
replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found</li>
+ <li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
+</ul>
<ul class="q">
<li> what about Client Certificates Adobe Signing extensions ?</li>
<li> SubjectAltName should become critical if DN is removed
http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
</ul>
-
<p>
-Server certificates include the following extensions:
+ Server certificates include the following extensions:
</p>
-<ul><li>
- basicConstraints=CA:FALSE (critical)
- </li><li>
- keyUsage=digitalSignature,keyEncipherment
- </li><li>
- extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
- </li><li>
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
- </li><li>
- subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).
-</li></ul>
+<ul>
+ <li>basicConstraints=CA:FALSE (critical)</li>
+ <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+ <li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
+ <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+ <li>crlDistributionPoints=URI:<crlUri> where <crlUri> is
replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found</li>
+ <li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
+</ul>
<p>
-Code-Signing certificates include the following extensions:
+ Code-Signing certificates include the following extensions:
</p>
-
-<ul><li>
- basicConstraints=CA:FALSE (critical)
- </li><li>
- keyUsage=digitalSignature,keyEncipherment
- </li><li>
-
extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
- </li><li>
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-</li></ul>
+<ul>
+ <li>basicConstraints=CA:FALSE (critical)</li>
+ <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+
<li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
+ <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+ <li>crlDistributionPoints=URI:<crlUri> where <crlUri> is
replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found</li>
+ <li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
+</ul>
<ul class="q">
<li> what about subjectAltName for Code-signing</li>
</ul>
--- End Message ---Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening
--- End Message ---
Attachment:
smime.p7s
Description: S/MIME-cryptografische ondertekening
- Patch request: Bug #540, Michael Tänzer, 07/24/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, Michael Tänzer, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, Michael Tänzer, 07/25/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/25/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/25/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/26/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/26/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/26/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/27/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/27/2012
- Re: Patch request: Bug #540, INOPIAE (Marcus), 07/27/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/27/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/28/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/30/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/31/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/30/2012
- Re: Patch request: Bug #540, Wytze van der Raay, 07/28/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/27/2012
- Re: Patch request: Bug #540, INOPIAE (Marcus), 07/27/2012
- Re: Patch request: Bug #540, Kenneth R. van Wyk, 07/27/2012
- Re: Patch request: Bug #540, David McIlwraith, 07/25/2012
Archive powered by MHonArc 2.6.16.