add default extensions for host and user role as defined by RFC 5280 #21
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
X.509 v3 extensions
keyUsage
andextendedKeyUsage
should be set alwaysaccording to RFC 5280 for TLS communications.
Last OpenVPN version use these extensions to enforce server and client
role, without this settings users must disable server verification.
Here also the
nsCertType
extension is set, even if deprecated by recentversions of OpenVPN, for back-compatibility with older version of OpenVPN
server and client.
Testing
I did some testing with
python==3.8.2
andpeewee==2.10.2
.Certificate generation works as expected, but i got failure while listing cas, requests or certificates from
./ca-sheel
.I fear this could because of some incompatibility between older peewee (version 3 is excluded by the requirement
peewee<3
as it doesn't contain extensiongfk
) and newer Python.