Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fix] prevent firefox to mix CA and server certificate #857

Open
wants to merge 1 commit into
base: stretch-unstable
from

Conversation

@autra
Copy link

autra commented Nov 30, 2019

Fixes YunoHost/issues#1479:

The problem

yunohost was using the exact same Distinguished Name for
the CA certificate and the main domain server certificate. When creating
alternate domain name, firefox thought the CA for this second domain was
the server certificate for the first domain. As the key mismatches,
Firefox raised a bad key usage error, which is not bypassable.

Solution

To fix this, we "simply" need to make sure the DN for the CA is
distinct for any other DN. I did so by adding a Organization to it, and
I decided to just remove the last part of the domain and use that as an
organization name. It is certainly possible to do something else, as
long as we end up having a distinct DN. So yolo.test gives a yolo
organization for instance.

More info here https://bugzilla.mozilla.org/show_bug.cgi?id=1590217

PR Status

How to test

Run postinstall with yolo.test, create a new domain with yolo2.test and install an app in it. Before the fix, yolo2.test was in error, after the fix, we can make firefox accept the certificate.

Validation

  • Principle agreement 0/2 :
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :
Fixes #1479: yunohost was using the exact same Distinguished Name for
the CA certificate and the main domain server certificate. When creating
alternate domain name, firefox thought the CA for this second domain was
the server certificate for the first domain. As the key mismatches,
Firefox raised a bad key usage error, which is not bypassable.

To fix this, we "simply" need to make sure the DN for the CA is
distinct for any other DN. I did so by adding a Organization to it, and
I decided to just remove the last part of the domain and use that as an
organization name. It is certainly possible to do something else, as
long as we end up having a distinct DN. So yolo.test gives a yolo
organization for instance.

More info here https://bugzilla.mozilla.org/show_bug.cgi?id=1590217
@alexAubin

This comment has been minimized.

Copy link
Member

alexAubin commented Nov 30, 2019

Uh wokay that sounds a bit cryptic and I'm too lazy to research this, but LGTM and trusting you I guess ? 😅

@autra

This comment has been minimized.

Copy link
Author

autra commented Nov 30, 2019

trusting you I guess ? sweat_smile

Well if you feel like it 😄

But maybe someone else than me can test this just to check I'm not breaking anything? @HugoPoi maybe, as he is the reporter of YunoHost/issues#1479?

@HugoPoi

This comment has been minimized.

Copy link

HugoPoi commented Dec 11, 2019

I will test this by the end of the week !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.