Re: Help, I broke sso.debian.org for chrome

To: Enrico Zini <enrico@enricozini.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Help, I broke sso.debian.org for chrome
From: Christoph Berg <myon@debian.org>
Date: Tue, 5 Sep 2017 12:16:47 +0200
Message-id: <[🔎] 20170905101647.obh325rntyph6e26@msg.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, Enrico Zini <enrico@enricozini.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20170905093701.xncmprl2x4so6hu4@enricozini.org>
References: <[🔎] 20170905093701.xncmprl2x4so6hu4@enricozini.org>

Re: Enrico Zini 2017-09-05 <[🔎] 20170905093701.xncmprl2x4so6hu4@enricozini.org>
> I refactored the certificate generation code for sso.debian.org, and the
> certificates it generates now still work in Firefox but not in Chrome.

My guess is that the new-style certificates are missing some
attributes:

Old certificate from 2015:

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication

New certificate from this week:

        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                email:myon@debian.org
            X509v3 Basic Constraints: critical
                CA:FALSE

I'll see if I can add that.

Christoph

Reply to:

Follow-Ups:
- Re: Help, I broke sso.debian.org for chrome
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Help, I broke sso.debian.org for chrome
  - From: Enrico Zini <enrico@enricozini.org>

References:
- Help, I broke sso.debian.org for chrome
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Help, I broke sso.debian.org for chrome
Next by Date: Help needed for #871234 FTBFS with GCC-7: error: type/value mismatch
Previous by thread: Help, I broke sso.debian.org for chrome
Next by thread: Re: Help, I broke sso.debian.org for chrome
Index(es):
- Date
- Thread