mirror of https://github.com/python/cpython
744caa8ef4
gh-120762: make_ssl_certs: Don't set extensions for the CSR `openssl req` fails with openssl 3.2.2 because the config line authorityKeyIdentifier = keyid:always,issuer:always is not supported for certificate signing requests (since the issuing certificate authority is not known). David von Oheimb, the OpenSSL dev that made the change, commented in: https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 : > This problem did not show up in older OpenSSL versions because of a bug: > the `req` app ignored the `-extensions` option unless `-x505` is given, > which I fixed in https://github.com/openssl/openssl/pull/16865. (I assume `-x505` is a typo for `-x509`.) In our `make_cert_key` function: If `sign` is true: - We don't pass `-x509` to `req`, so in this case it should be safe to omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL fails on it.) - The extensions are passed to the `ca` call later in the function. There they take effect, and `authorityKeyIdentifier` is valid. If `sign` is false, this commit has no effect except rearranging the CLI arguments. |
||
---|---|---|
.. | ||
capath | ||
allsans.pem | ||
badcert.pem | ||
badkey.pem | ||
cert3.pem | ||
ffdh3072.pem | ||
idnsans.pem | ||
keycert.passwd.pem | ||
keycert.pem | ||
keycert.pem.reference | ||
keycert2.pem | ||
keycert3.pem | ||
keycert3.pem.reference | ||
keycert4.pem | ||
keycertecc.pem | ||
leaf-missing-aki.ca.pem | ||
leaf-missing-aki.keycert.pem | ||
make_ssl_certs.py | ||
nokia.pem | ||
nosan.pem | ||
nullbytecert.pem | ||
nullcert.pem | ||
pycacert.pem | ||
pycakey.pem | ||
revocation.crl | ||
secp384r1.pem | ||
selfsigned_pythontestdotnet.pem | ||
ssl_cert.pem | ||
ssl_key.passwd.pem | ||
ssl_key.pem | ||
talos-2019-0758.pem |