[前][次][番号順一覧][スレッド一覧]

ruby-changes:60630

From: Sorah <ko1@a...>
Date: Fri, 3 Apr 2020 01:08:16 +0900 (JST)
Subject: [ruby-changes:60630] 0f57d66f9e (master): webrick/ssl: More keyUsage for self-signed certs

https://git.ruby-lang.org/ruby.git/commit/?id=0f57d66f9e

From 0f57d66f9e1e7bf4419d9d3a70132bbc4006f9fe Mon Sep 17 00:00:00 2001
From: Sorah Fukumori <her@s...>
Date: Fri, 3 Apr 2020 00:49:12 +0900
Subject: webrick/ssl: More keyUsage for self-signed certs

Chrome 75+ started to strictly enforce X.509 keyUsage against TLS server
certificates. Webrick supports generating instant self-signed
certificates for debugging purpose and these certificates lacks required
keyUsage for modern TLS. So adding the following keyUsages:

- digitalSignature (for server authentication)
- keyAgreement (for DH key exchange)
- dataEncipherment (for data encryption)

References:

- https://tools.ietf.org/html/rfc5280#section-4.2.1.3
- https://crbug.com/795089
- https://boringssl-review.googlesource.com/c/34604

diff --git a/lib/webrick/ssl.rb b/lib/webrick/ssl.rb
index d125083..ab1837f 100644
--- a/lib/webrick/ssl.rb
+++ b/lib/webrick/ssl.rb
@@ -122,7 +122,7 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/lib/webrick/ssl.rb#L122
       ef.issuer_certificate = cert
       cert.extensions = [
         ef.create_extension("basicConstraints","CA:FALSE"),
-        ef.create_extension("keyUsage", "keyEncipherment"),
+        ef.create_extension("keyUsage", "keyEncipherment, digitalSignature, keyAgreement, dataEncipherment"),
         ef.create_extension("subjectKeyIdentifier", "hash"),
         ef.create_extension("extendedKeyUsage", "serverAuth"),
         ef.create_extension("nsComment", comment),
-- 
cgit v0.10.2


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]