TLS validation in local dev does not work #2891
Comments
|
If you already have a fix, then submitting a PR (or at least showing the patch in here) is always a good idea - also because that way we immediately see what (you think) is wrong with our code, which is often much faster than reading a long natural language description ;) |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
TLS validation on localhost does not work with the auto generated certificate.
To replicate:
python3 manage.py runserver_plus --cert-file dev-cert.crt Django version 5.0.4, using settings 'ourapp.devsettings' Development server is running at https://ourapp.localhost:8000/ Using the Werkzeug debugger (https://werkzeug.palletsprojects.com/) Quit the server with CONTROL-C.dev-cert.crt is generated, but does not work, a sample ERROR using wget:
Certificate looks valid, however I think wget, curl, python requests does not like the cn name?
openssl x509 -in dev-cert.crt --text --noout Certificate: Data: Version: 3 (0x2) Serial Number: 25:44:40:09:99:71:4e:8c:b3:78:9e:ba:1b:de:d2:d0:f3:4f:d4:3e Signature Algorithm: sha256WithRSAEncryption Issuer: O=Dummy Certificate, CN=*.localhost/CN=localhost Validity Not Before: May 2 07:02:26 2024 GMT Not After : May 2 07:02:26 2025 GMT Subject: O=Dummy Certificate, CN=*.localhost/CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ad:fb:88:dd:bd:9f:d7:af:33:6f:92:5e:25:1e: 2d:de:22:b2:ec:e6:67:91:24:23:6e:f2:7f:08:dc: 6c:4d:be:b8:ca:a9:34:4c:08:71:c3:9f:dd:ac:67: 35:a5:72:8f:9f:dc:b1:47:9c:e7:9f:6b:b3:9c:a4: f4:28:a8:5f:fd:9a:f1:a4:c0:59:88:bb:25:31:e5: 7c:75:33:67:ee:01:cc:f6:e0:59:b7:f4:ff:99:44: a9:31:13:6a:eb:13:4e:e1:fa:ec:54:5c:0d:a6:a5: 38:59:5c:ae:b7:0c:d9:ee:23:40:db:1e:5e:42:47: 99:96:26:31:1a:62:23:44:41:31:1d:3a:9d:35:b0: 8b:49:3d:76:cb:6d:41:da:e8:10:a8:6d:82:7c:fb: 22:fd:8d:c8:9f:ed:90:1c:cd:3c:31:34:dc:d4:a1: 56:c4:c2:1f:f0:ca:b5:5a:9d:dd:06:43:7a:49:ed: 9a:74:e2:ea:31:e7:04:35:9b:f6:4a:75:8f:df:2c: 55:14:3b:56:85:cf:0b:b1:ea:8f:52:99:8e:33:b1: cd:fc:9d:e0:38:24:e7:23:b5:da:cb:a8:14:ad:2d: d6:f7:2c:fa:bc:e0:c3:15:e2:8f:72:22:7f:db:ad: a7:14:1e:4b:09:fc:2d:71:6b:fa:15:0d:ec:da:5b: c0:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:*.localhost/CN=localhost Signature Algorithm: sha256WithRSAEncryption Signature Value: 99:51:30:ea:30:3f:57:01:28:80:78:44:fa:f6:8a:47:af:7b: 01:1f:ff:d2:eb:8f:d2:21:46:f2:b7:6c:29:a1:b0:7a:1f:80: a7:1e:93:aa:af:6f:c2:fe:19:28:6a:93:6b:19:94:8c:2c:c3: 82:9a:d6:39:35:21:ea:02:1f:62:00:14:51:38:51:42:56:11: af:1d:53:60:90:d7:e2:6c:28:8e:af:b8:b6:ef:73:95:5b:4d: dd:3e:14:a0:95:20:52:3b:93:88:9f:c2:e3:c4:29:d6:7e:a8: de:c0:db:e9:2f:cb:d7:e2:f7:06:e4:f2:ee:5f:4b:e3:43:2c: fc:bd:be:df:f7:06:37:89:10:35:19:99:c0:b5:ff:0a:20:20: e4:64:af:40:7d:f0:e6:e7:a1:e1:fc:ee:70:c0:71:be:ee:c9: 9a:a2:4c:7d:33:36:d1:a7:de:cc:d1:47:09:2e:d5:ae:1a:0f: 4a:68:9a:08:be:d1:6d:03:1b:b3:0c:b0:e8:5a:ac:fa:73:4a: c5:4d:39:e0:b7:47:26:c6:66:d2:26:d0:88:6e:f4:9e:15:13: d9:e0:a8:48:cc:f9:40:93:82:49:0f:4b:cd:16:95:ca:cd:78: 1a:7c:67:71:c5:8a:a9:03:10:ed:47:ac:89:63:41:af:5c:d7: f0:ce:1f:3dI've been using this library and running it insecure as a result for a while but today it really bugged me so thought i would dig deeper.
If i generate the certificate manually, it works and validates fine. With minor modifications to serving.py to fix the SANS/CN fields, i can make it work ok:
Certificate: Data: Version: 3 (0x2) Serial Number: 38:a7:d1:e8:46:1c:f2:94:04:eb:ac:86:19:6d:7f:87:22:4f:a1 Signature Algorithm: sha256WithRSAEncryption Issuer: O=Dummy Certificate, CN=localhost Validity Not Before: May 2 07:13:25 2024 GMT Not After : May 2 07:13:25 2025 GMT Subject: O=Dummy Certificate, CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:b7:20:f0:b2:5d:d5:e5:e6:b4:9b:a6:b7:e4: 65:4d:d3:52:f5:9c:a5:3c:b5:12:7c:2b:cd:c3:f5: d2:43:72:b1:dd:39:74:8c:23:ff:b5:c9:4a:2a:18: 96:33:b8:d4:2a:8f:bd:6c:b5:10:24:1a:3e:19:5a: 7d:aa:b6:76:e2:37:dc:57:98:6e:dc:80:38:d7:c0: b4:3c:b6:98:68:31:54:e3:a4:d0:fe:d5:14:97:56: 7f:5d:f0:5a:8e:ee:ae:cf:15:ef:4b:98:52:40:c4: 45:a5:af:cb:39:6f:67:95:19:62:24:52:64:8a:d1: 1d:77:86:40:fe:db:92:68:c7:7c:bc:56:1d:fe:e7: 61:ba:11:d5:a7:e4:3b:d9:b7:d9:fb:42:22:ba:27: 81:2a:7f:72:b7:81:f2:73:eb:1c:8f:90:ac:ba:80: ac:c2:4f:4a:aa:bc:2b:d8:05:cd:98:b3:0d:11:18: 45:09:b1:bc:43:6e:53:c3:19:ff:6d:55:64:1d:ea: 73:27:3f:c1:f6:87:b7:6b:13:12:77:6e:de:05:bf: bb:8c:42:6d:49:32:0f:a0:d5:06:20:14:ff:39:58: 28:67:39:34:15:40:72:d3:f8:4b:a8:07:0c:82:14: 21:f5:2a:c1:05:6e:4e:7f:3a:86:0c:c1:0b:97:6f: 61:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost, DNS:*.localhost Signature Algorithm: sha256WithRSAEncryption Signature Value: 72:bc:10:27:91:1b:11:6e:29:11:1d:91:66:93:7d:f4:d8:8d: 0e:57:14:c8:16:44:c9:bd:e6:1e:cb:12:53:ee:59:02:29:ea: 53:f8:09:cf:a0:fe:f3:1e:0c:0c:78:34:83:dd:4c:03:6f:e2: f7:7d:56:44:82:1a:bb:50:c1:bb:3d:1c:58:ea:0d:a6:12:24: 34:4d:b5:3c:a5:10:d3:a6:a5:2d:f9:86:20:bb:e3:fd:62:14: ec:b7:aa:45:36:3e:f1:f6:02:1f:4a:8b:97:69:98:5e:22:54: 14:5c:87:ee:f0:f7:e2:fc:72:9b:c0:bd:67:a6:fa:4a:69:3e: 6e:48:5e:fe:6d:7a:f6:9e:e6:0f:33:4c:44:39:24:9c:98:06: da:a9:a1:12:4c:bc:f8:b1:cb:bf:0f:c2:c9:83:aa:e2:4d:c5: 1a:0d:7e:60:da:a6:49:83:b6:f6:a7:da:34:db:aa:0b:8d:19: b6:c7:f9:67:73:cf:2f:af:e7:09:6c:63:5c:86:c7:4f:cb:a3: f2:98:77:e0:3a:de:ef:b8:38:df:67:97:8e:fd:79:9b:8b:7b: a7:05:2c:3f:f7:cf:9a:ff:31:a9:f0:6c:f7:7f:1e:a2:1f:58: dd:e2:c8:99:b6:3e:c4:41:9d:0f:29:e6:8a:88:f1:6d:a6:b5: 36:e8:40:a2Environment:
Is this a bug? I could submit a pull request with my local change to serving.py, which appears to resolve?
The text was updated successfully, but these errors were encountered: