[Pkg-openssl-devel] Bug#767528: openssl: copy_extensions = copy does not automatically set certificate version to v3
Tom
bug at users.ch.eu.org
Fri Oct 31 18:38:26 UTC 2014
Package: openssl
Version: 1.0.1e-2+deb7u13
Severity: normal
Dear Maintainer,
when signing a certificate request, openssl may create a x509v1 certificate with x509v3 extensions.
This combination is rejected by some recent versions of mozilla (firefox and thunderbird), see
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973
This happens when "copy_extensions = copy" is used in the [ca] section and no
"-extensions <section>" commandline option nor x509_extensions key in the config file is given.
It is unclear that -extensions (or x509_extensions) must be used in order to create an x509v3 certificate.
Including v3 extensions via copy_extensions in the config file should also produce an x509v3 certificate.
Thanks
Tom
-- System Information:
Debian Release: 7.7
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'proposed-updates'), (990, 'stable'), (650, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl depends on:
ii libc6 2.19-11
ii libssl1.0.0 1.0.1e-2+deb7u13
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119+deb7u1
-- no debconf information
More information about the Pkg-openssl-devel
mailing list