From 4a63e8c258025f91f4f3e37385fe2dfc0fc579ad Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Tue, 11 Dec 2012 02:19:27 -0800
Subject: add keyEncipherment to server certs

---
 lib/leap_cli/commands/ca.rb | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'lib/leap_cli/commands/ca.rb')

diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index d6fd975..c87dcea 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -267,8 +267,15 @@ module LeapCli; module Commands
   end
 
   #
-  # for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable.
-  # going with keyAgreement for now.
+  # For keyusage, openvpn server certs can have keyEncipherment or keyAgreement.
+  # Web browsers seem to break without keyEncipherment.
+  #
+  # * digitalSignature ==> for (EC)DHE cipher suites
+  # * keyEncipherment  ==> for plain RSA cipher suites
+  # * keyAgreement     ==> for used with DH, not RSA.
+  #
+  # I am including all three because that seems to work in all cases. I am not sure if this
+  # is the right thing to do.
   #
   # digest options: SHA512, SHA256, SHA1
   #
@@ -277,10 +284,10 @@ module LeapCli; module Commands
       "digest" => manager.provider.ca.server_certificates.digest,
       "extensions" => {
         "keyUsage" => {
-          "usage" => ["digitalSignature", "keyAgreement"]
+          "usage" => ["digitalSignature", "keyEncipherment", "keyAgreement"]
         },
         "extendedKeyUsage" => {
-          "usage" => ["serverAuth"]
+          "usage" => ["serverAuth", "clientAuth"]
         },
         "subjectAltName" => {
           "ips" => [node.ip_address],
-- 
cgit v1.2.3