Github user ffcai commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-95907499
Hi @jacksontj , here I use another bundle of certificates because I
encounter some warning/error when test with openssl/curl/requests.
1. When generate certificate for Intermediate CA, we need to specify
**X509v3 extensions** as follows:
```
X509v3 Basic Constraints:
CA:TRUE
```
Or we would get errors when test with openssl commands.
http://serverfault.com/a/486835
2. It would be better to set **Subject Alternative Name** in leaf
certificate, to prevent warning in requests.
```python
>>> import requests
>>> r = requests.get('https://www.example.com:4443',
verify='/home/ffcai/apache/trafficserver/ci/new_tsqa/files/rsa_keys3/ca.crt')
/usr/lib/python2.6/site-packages/requests/packages/urllib3/connection.py:251:
SecurityWarning: Certificate has no `subjectAltName`, falling back to check for
a `commonName` for now. This feature is being removed by major browsers and
deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for
details.)
SecurityWarning
```
3. To enable the E2E https test, we need a customized DNS resolver, to hit
localhost for like hostname www.example.com. Seems that requests does not
support this yet. There's some hacky way, but I would like to find a simple
way, like curl's option `--resolve` http://superuser.com/a/794062
Could you please take a look at this bundle of certificates? If you agree
with it, I'll update about how to generate the Root CA, Intermediate CA and
leaf certificate. It's generated by a handy bash script, without complicated
configurations.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
