freeipa

Clone
Source Code
GIT

7da5187 Don't write p11-kit EKU extension object if no EKU

2 files Authored by stlaz 6 years ago, Committed by tkrizek 6 years ago,
raw patch tree parent
2 files changed. 7 lines added. 3 lines removed.
ipalib/x509.py
file modified
+4 -1
ipaplatform/redhat/tasks.py
file modified
+3 -2 
    Don't write p11-kit EKU extension object if no EKU
    
    b5732efd introduced a regression because it tries to write EKU
    that's actually in the CA cert instead of using the LDAP information.
    However, when no EKU is available,
    IPACertificate.extended_key_usage_bytes still returned at least
    EKU_PLACEHOLDER OID to keep the behavior the same as in previous
    versions. This caused the EKU_PLACEHOLDER to be written in the
    ipa.p11-kit file which made Firefox report FreeIPA Web UI as
    improperly configured.
    
    https://pagure.io/freeipa/issue/7119
    
    Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
file modified
+4 -1
file modified
+3 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.