stunnel.cnf should set keyUsage = keyCertSign
I'm trying to write a go program to connect to an stunnel server and verify the certificate but it fails because the go language requires that self-signed certs have keyCertSign set in the keyUsages. the default stunnel.cnf does not set this. According to the following message thread this is required by RFC 5280. https://groups.google.com/forum/#!msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ The solution to this is to add 'keyUsage = keyCertSign' to the stunnel.cnf.
Hello, ...Seems you are confusing with openssl.cnf configuration file... Best regards Pierre Delaage Le 11/03/2014 05:31, Athir Nuaimi a écrit :
I'm trying to write a go program to connect to an stunnel server and verify the certificate but it fails because the go language requires that self-signed certs have keyCertSign set in the keyUsages. the default stunnel.cnf does not set this. According to the following message thread this is required by RFC 5280.
https://groups.google.com/forum/#!msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ <https://groups.google.com/forum/#%21msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ>
The solution to this is to add 'keyUsage = keyCertSign' to the stunnel.cnf.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hello again, More precisely : that option should be set on the machine that has generated the certificate : probably not your "client" one... but a kind of CA server somewhere... Not related at all to stunnel. You should subscribe to openssl mailing lists here : http://www.openssl.org/support/community.html Best Pierre Delaage Le 11/03/2014 05:31, Athir Nuaimi a écrit :
I'm trying to write a go program to connect to an stunnel server and verify the certificate but it fails because the go language requires that self-signed certs have keyCertSign set in the keyUsages. the default stunnel.cnf does not set this. According to the following message thread this is required by RFC 5280.
https://groups.google.com/forum/#!msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ <https://groups.google.com/forum/#%21msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ>
The solution to this is to add 'keyUsage = keyCertSign' to the stunnel.cnf.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Athir Nuaimi wrote:
Im trying to write a go program to connect to an stunnel server and verify the certificate but it fails because the go language requires that self-signed certs have keyCertSign set in the keyUsages. the default stunnel.cnf does not set this. According to the following message thread this is required by RFC 5280.
https://groups.google.com/forum/#!msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ [1]
The solution to this is to add keyUsage = keyCertSign to the stunnel.cnf.
Good point. What would be the right options for self-signed SSL certs? My guess is: nsCertType = server basicConstraints = CA:TRUE,pathlen:0 keyUsage = keyCertSign extendedKeyUsage = serverAuth Mike
participants (3)
-
Athir Nuaimi -
Michal Trojnara -
Pierre DELAAGE