Make keyUsage compatible with OTPs wonky filtering

rabbitmq / tls-gen

Generates self-signed x509/TLS/SSL certificates useful for development

Mozilla Public License 2.0

368 stars 103 forks source link

Make keyUsage compatible with OTPs wonky filtering #8

Closed lukebakken closed 7 years ago

lukebakken commented 7 years ago

If the keyUsage extension is specified, this code unhelpfully filters out cipher suites unless both keyEncipherment and digitalSignature are present. This might be a bug in OTP, but ensuring both values are present in keyUsage will prevent this issue from happening in an Erlang SSL/TLS environment

scottmuc commented 7 years ago

@lukebakken while sampling around 5 or so certificates in the wild, we observed that all of them specified keyEncipherment and digitalSignature. I don't really have a clue what I'm talking about, but I thought it would be worth mentioning.

lukebakken commented 7 years ago

That's good to know. I think people must err on the side of more keyUsage attributes to avoid issues like this.

michaelklishin commented 5 years ago

There is a relevant change in Erlang/OTP 21.0 that explains some of the filtering logic applied and expected/implied by a couple of relevant RFCs.

lukebakken commented 5 years ago

@michaelklishin that's a great find.