New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set correct KU and EKU extensions #328
Conversation
A CA certificate must not have an EKU extension. KU key_cert_signing is required. crl_sign is recommended for CRLs and digital_signature is recommended for OCSP. An end-entity cert must have an EKU. TLS server and TLS client are recommended. KU digital_signature is required for modern perfect forward secrecy handshake. key_encipherment is optional for old non-PFS handshake. Signed-off-by: Christian Heimes <christian@python.org>
Thanks @tiran! Is there a tool/service we can plop our certificate into and verify it's up to scuff? I know requirements change and become stricter typically over time :) |
@sethmlarson uhm, I don't know. Maybe ssllabs? You can also cross-verify the settings with CAB baseline requirements, https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.6.pdf 7.1.2.1 Root CA Certificate
7.1.2.3 Subscriber Certificate
|
Signed-off-by: Christian Heimes <christian@python.org>
Codecov Report
@@ Coverage Diff @@
## master #328 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 10 10
Lines 1115 1160 +45
Branches 48 48
=========================================
+ Hits 1115 1160 +45
|
Hey @tiran, it looks like that was the first time we merged one of your PRs! Thanks so much! 🎉 🎂 If you want to keep contributing, we'd love to have you. So, I just sent you an invitation to join the python-trio organization on Github! If you accept, then here's what will happen:
If you want to read more, here's the relevant section in our contributing guide. Alternatively, you're free to decline or ignore the invitation. You'll still be able to contribute as much or as little as you like, and I won't hassle you about joining again. But if you ever change your mind, just let us know and we'll send another invitation. We'd love to have you, but more importantly we want you to do whatever's best for you. If you have any questions, well... I am just a humble Python script, so I probably can't help. But please do post a comment here, or in our chat, or on our forum, whatever's easiest, and someone will help you out! |
Thank you @tiran! Appreciated |
I released this as part of 0.8.0: https://pypi.org/project/trustme/0.8.0/ |
A CA certificate must not have an EKU extension. KU key_cert_signing is
required. crl_sign is recommended for CRLs and digital_signature is
recommended for OCSP.
An end-entity cert must have an EKU. TLS server and TLS client are
recommended. KU digital_signature is required for modern perfect forward
secrecy handshake. key_encipherment is optional for old non-PFS
handshake.
Signed-off-by: Christian Heimes christian@python.org