declare missing key usage required by Google Chrome (when using TLS 1.3, no pb with TLS 1.2)

[jgraglia]

see #4

http://rcardon.free.fr/websign/download/api-x509-ext/be/cardon/asn1/x509/extensions/KeyUsage.html

[mkropat]

Thank you for the bug report and PR!

I think I'll have time tonight to confirm this works, then I'll merge it.

[mkropat]

I was able to test out this branch and it works great. However, I wasn't able to reproduce the issue described on Chromium 80 on Ubuntu. I see no reason not to believe this PR fixes a real issue, but since I can't reproduce it I want to do a little more research on the key usage values. I ran out of time this minute to continue to look into it, but I hope to get back to it in the next day or two.

[jgraglia]

Hi, for the record I was experiencing this issue on Google Chrome, on a ubuntu box

$ google-chrome --version                                                                                                                                                                         
Google Chrome 74.0.3729.108 

$ lsb_release -a                                                                                                                                                                                  
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 19.10
Release:	19.10
Codename:	eoan

[jgraglia]

me again,
so I have installed Chromium (Version 80.0.3987.116 (Build officiel) snap (64 bits)) and I have
ERR_SSL_KEY_USAGE_INCOMPATIBLE

This lead me to this blogpost
https://hexeract.wordpress.com/2019/06/13/google-chrome-75-x-a-self-signed-certificate-and-err_ssl_key_usage_incompatible/

and

https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L1148

This comment of the blog post let me test the TLS version I was using.

My tests were performed with a simple caddy configuration

localhost:8443 pc-nc308:8443 {
    tls default.crt default.key 
    root /var/log
    browse
    log stdout
}

when forcing TSL 1.2 with :

localhost:8443 pc-nc308:8443 {
    tls default.crt default.key {
       protocols tls1.2 tls1.2
    }
    root /var/log
    browse
    log stdout
}

Chrome is accepting the certificate with no error !

Caddy use TLS1.2 --> TSL 1.3 version range by default.

I will rename the issue

[jgraglia]

And big thank to @ngangat for the original fix in the sslfie script

[mkropat]

Nice detective work on figuring out that TLSv1.3 is what makes the issue reproducible. After that I was able to reproduce it myself. All the changes make sense based on my research.

Thanks again for the PR!