On Wed, Sep 06, 2017 at 01:36:55PM +0200, Enrico Zini wrote:
> I found the reason: python-cryptography writes the certificate issuer
> as UTF8 String while the CA certificate has it as Printable String.
> Because of that, the subject names don't match bit-by-bit.
Fixed:
https://anonscm.debian.org
Enrico Zini writes:
> On Tue, Sep 05, 2017 at 11:37:01AM +0200, Enrico Zini wrote:
>
>> I refactored the certificate generation code for sso.debian.org, and the
>> certificates it generates now still work in Firefox but not in Chrome.
>
> I found the reason: python-cryptography writes the certifi
On Wed, Sep 06, 2017 at 01:36:55PM +0200, Enrico Zini wrote:
> On Tue, Sep 05, 2017 at 11:37:01AM +0200, Enrico Zini wrote:
>
> > I refactored the certificate generation code for sso.debian.org, and the
> > certificates it generates now still work in Firefox but not in Chrome.
>
> I found the rea
On Tue, Sep 05, 2017 at 11:37:01AM +0200, Enrico Zini wrote:
> I refactored the certificate generation code for sso.debian.org, and the
> certificates it generates now still work in Firefox but not in Chrome.
I found the reason: python-cryptography writes the certificate issuer
as UTF8 String whi
On Tue, Sep 05, 2017 at 02:08:38PM +0100, Ian Jackson wrote:
>
> FYI, Enrico, the openssl CLI tool can dump this kind of thing so you
> can compare before and after. I forget the exact runes I'm afraid.
openssl x509 -in <> -noout -text
is probably the magic line you're looking for.
Re: Enrico Zini 2017-09-05 <20170905163334.2mi5tzacykzja...@enricozini.org>
> I should have managed to do it, but chrome still doesn't seem to like
> it. Can you generate a new certificate and see if you still find
> differences?
"openssl x509 -text -noout" doesn't show any differences anymore
exc
On Tue, Sep 05, 2017 at 12:16:47PM +0200, Christoph Berg wrote:
> My guess is that the new-style certificates are missing some
> attributes:
>
> Old certificate from 2015:
>
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X50
With Best Regards, Tim
On 09/05/2017 03:08 PM, Ian Jackson wrote:
> Christoph Berg writes ("Re: Help, I broke sso.debian.org for chrome"):
>> Re: Enrico Zini 2017-09-05 <20170905093701.xncmprl2x4so6...@enricozini.org>
>>> I refactored the certificate gener
Christoph Berg writes ("Re: Help, I broke sso.debian.org for chrome"):
> Re: Enrico Zini 2017-09-05 <20170905093701.xncmprl2x4so6...@enricozini.org>
> > I refactored the certificate generation code for sso.debian.org, and the
> > certificates it generates now s
Re: Enrico Zini 2017-09-05 <20170905093701.xncmprl2x4so6...@enricozini.org>
> I refactored the certificate generation code for sso.debian.org, and the
> certificates it generates now still work in Firefox but not in Chrome.
My guess is that the new-style certificates are missing some
attributes:
Hello,
I refactored the certificate generation code for sso.debian.org, and the
certificates it generates now still work in Firefox but not in Chrome.
Steps to reproduce:
1. Back up and delete all Debian certificates in Chrome
2. Go to one of these links to generate a new one:
https://sso.deb
11 matches
Mail list logo
