diff options
author | elijah <elijah@riseup.net> | 2012-12-11 02:19:27 -0800 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2012-12-11 02:19:27 -0800 |
commit | 4a63e8c258025f91f4f3e37385fe2dfc0fc579ad (patch) | |
tree | 6c9ca85a9c0cd7377b24d0aff3fd8de717b405a8 /lib | |
parent | 7474fd4e2076d229b5409632f3f7bc471ce7831c (diff) | |
download | leap_cli-4a63e8c258025f91f4f3e37385fe2dfc0fc579ad.tar.gz leap_cli-4a63e8c258025f91f4f3e37385fe2dfc0fc579ad.tar.bz2 |
add keyEncipherment to server certs
Diffstat (limited to 'lib')
-rw-r--r-- | lib/leap_cli/commands/ca.rb | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index d6fd975..c87dcea 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -267,8 +267,15 @@ module LeapCli; module Commands end # - # for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable. - # going with keyAgreement for now. + # For keyusage, openvpn server certs can have keyEncipherment or keyAgreement. + # Web browsers seem to break without keyEncipherment. + # + # * digitalSignature ==> for (EC)DHE cipher suites + # * keyEncipherment ==> for plain RSA cipher suites + # * keyAgreement ==> for used with DH, not RSA. + # + # I am including all three because that seems to work in all cases. I am not sure if this + # is the right thing to do. # # digest options: SHA512, SHA256, SHA1 # @@ -277,10 +284,10 @@ module LeapCli; module Commands "digest" => manager.provider.ca.server_certificates.digest, "extensions" => { "keyUsage" => { - "usage" => ["digitalSignature", "keyAgreement"] + "usage" => ["digitalSignature", "keyEncipherment", "keyAgreement"] }, "extendedKeyUsage" => { - "usage" => ["serverAuth"] + "usage" => ["serverAuth", "clientAuth"] }, "subjectAltName" => { "ips" => [node.ip_address], |