Bug 180482

Summary: tls certificates on svn https mirrors cannot be verified
Product: Documentation Reporter: r4721 <r4721>
Component: Books & ArticlesAssignee: Peter Wemm <peter>
Status: Closed FIXED    
Severity: Affects Only Me CC: clusteradm, peter
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description r4721@tormail.org 2013-07-11 22:30:00 UTC 
the ssl certificates on all https:// svn mirrors cannot be verified because they
are self signed and missing Certificate Sign extended key usage. a self signed
certificate must have this, because signing a certificate with another (even
itself) that is specified not-able-to-sign is not valid.

the certificates seem to have been made with -extensions v3_req which defaultly
does not put keyCertSign. (/etc/ssl/openssl.cnf)

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

reference:
http://thread.gmane.org/gmane.comp.encryption.openssl.user/48686/focus=48701

keyUsage should have keyCertSign appended (or commented out keyUsage which then
would allow all usages)

> openssl verify -CAfile cert.pem cert.pem 
cert.pem: /C=US/ST=CA/O=FreeBSD.org/OU=clusteradm/CN=svnmir.bme.FreeBSD.org
/emailAddress=clusteradm@FreeBSD.org
error 20 at 0 depth lookup:unable to get local issuer certificate

> openssl x509 -text -noout -in svn0.eu.freebsd.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:svnmir.bme.FreeBSD.org, ...

Fix: 

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign
(or any custom combination of keyUsage options that include keyCertSign)

> openssl req -subj /CN=test -nodes -newkey rsa:2048 -x509 -extensions v3_req \
 -out cert.pem -keyout /dev/null
Generating a 2048 bit RSA private key
..............................................+++
.........+++
writing new private key to '/dev/null'
-----

> openssl verify -CAfile cert.pem cert.pem
cert.pem: OK

> openssl x509 -text -noout -in cert.pem
    X509v3 extensions:
      X509v3 Basic Constraints: 
    CA:FALSE
    X509v3 Key Usage: 
      Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
How-To-Repeat: > openssl req -subj /CN=test -nodes -newkey rsa:2048 -x509 -extensions v3_req \
 -out cert.pem -keyout /dev/null
Generating a 2048 bit RSA private key
.........................................+++
........................................................................+++
writing new private key to '/dev/null'
-----

> openssl verify -CAfile cert.pem cert.pem 
cert.pem: /CN=test
error 20 at 0 depth lookup:unable to get local issuer certificate

> openssl x509 -text -noout -in cert.pem
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
Comment 1 Remko Lodder freebsd_committer freebsd_triage 2014-02-24 11:34:41 UTC 
Responsible Changed
From-To: freebsd-www->clusteradm

Hi Clusteradm, 

Can you comment on this please?
Comment 2 Peter Wemm freebsd_committer freebsd_triage 2016-03-03 07:34:56 UTC 
This report can be closed.  The mirrors all use a real certificate under https://svn.freebsd.org/ now.