rpms/dnssec-trigger
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f43
rpms:main
rpms:f42
rpms:f40
rpms:f41
rpms:epel9
rpms:f38
rpms:f39
rpms:f37
rpms:f36
rpms:f35
rpms:f33
rpms:f34
rpms:f31
rpms:f32
rpms:f30
rpms:f29
rpms:f26
rpms:f27
rpms:f28
rpms:f25
rpms:f24
rpms:f22
rpms:f23
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f16
rpms:f17
rpms:el6
...
pull from: rpms:f40
Branches Tags
rpms:f43
rpms:main
rpms:rawhide
rpms:f42
rpms:f40
rpms:f41
rpms:epel9
rpms:f38
rpms:f39
rpms:f37
rpms:f36
rpms:f35
rpms:f33
rpms:f34
rpms:f31
rpms:f32
rpms:f30
rpms:f29
rpms:f26
rpms:f27
rpms:f28
rpms:f25
rpms:f24
rpms:f22
rpms:f23
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f16
rpms:f17
rpms:el6
Sign in to create a new pull request.

1 commit
rawhide ... f40

Author SHA1 Message Date
Petr Menšík
9754e4fb59 Mark explicitly server cert with CA flag 
Since OpenSSL 3.2 it did not connect from control to server cert. Create
server with indication is it CA.

Also use clientAuth trust for CA cert. That allows control cert to be
used for client authentication.

Resolves: rhbz#2310947
 2024-09-11 21:32:22 +02:00
2 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

34
dnssec-trigger-0.17-openssl-3.2.patch Normal file
View file

@ -0,0 +1,34 @@
From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 10 Sep 2024 16:22:07 +0200
Subject: [PATCH] Mark explicitly server cert with CA flag
Since OpenSSL 3.2 it did not connect from control to server cert. Create
server with indication is it CA.
Also use clientAuth trust for CA cert. That allows control cert to be
used for client authentication.
---
dnssec-trigger-control-setup.sh.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
index 7cc305a..eede665 100644
--- a/dnssec-trigger-control-setup.sh.in
+++ b/dnssec-trigger-control-setup.sh.in
@@ -200,9 +200,9 @@ EOF
test -f request.cfg || error "could not create request.cfg"
echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-# create trusted usage pem
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+# create trusted usage pem for CA, what are signed certs allowed to do?
+openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
# create client request and sign it, piped
cat >request.cfg <<EOF
--
2.46.0

1
dnssec-trigger.spec
View file

@ -33,6 +33,7 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
Patch5: dnssec-trigger-configure-c99.patch
# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
Patch6: dnssec-trigger-0.17-allowed-characters.patch
Patch7: dnssec-trigger-0.17-openssl-3.2.patch
# to obsolete the version in which the panel was in main package
Obsoletes: %{name} < 0.12-22