openssl is grim

I've just spent a whole day trying to generate a certificate with openssl that firefox / chromium will accept.

The issue is something like: the convention changed from sticking a domain name in the CN (common name) field, to using subjectAltName.  Browsers stopped accepting the old one.  But the openssl tooling was not updated with a usable tool, instead requiring arcane, undocumented, opaque, grim, and nasty options / config files.  It's no wonder everyone just uses the cloud.  The poor folk trying to get a working certificate compare notes on places like stackexchange (see for example "Provide subjectAltName to openssl directly on the command line" [0], which contained the final solution for me.  Please note: the "final solution" is not a phenocide of anyone involved in OpenSSL "development").

[0] <https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line>

The one that worked was to provide the arcane "-extfile" option at signing time, providing simply "subjectAltName=DNS:wiki.example.org" inside there (so, surprise: it is not at CSR-generation time).  The one that worked was also several answers down, with the other answers not working, and many other answers and procedures from other pages not having worked.  OpenSSL is a disaster and their developers are oblivious.

As a piece of CLI interface design, what is a nice minimal interface to make a certificate, including making a CA if necessary.  It should match current browser whims, and somehow anticipate a need to adapt to changing browser fashions later, but keep it minimal, not having anything like the full x509 complexity, and certainly not the appalling lack of interface design per openssl.  Most fields can be left empty -- there is no need to start asking for a lot of directory info when someone is trying to get a working certificate.  The domains, key, ca, and arguably ca chain are all that matter.  Maybe optional ip addresses.

On the road to that, how about a serialisation format which, instead of being an opaque blob (base64'd or whatnot), puts all the text stuff in plain text, say in yaml or similar, and just puts binary items like keys, signatures, etc, in base64.  You shouldn't have to run "openssl x509 -noout -text -in wiki.example.org.crt" just to inspect the damned thing, and given their tools' behaviour, one suspects the above of hiding certain fields unless instructed not to, etc etc.

Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI
Read more

google is giving more and more 500 errors

Image
Total state capture and moral bankruptcy are not the only problems facing Google.  They are also giving an increasing rate of 500 Internal Server errors.  This is the sort that means they've messed up, but not in a way that they should have messed up.  On the other hand, they have drawn a lovely picture of a robot falling apart. Today's example is from Google Calendar under calendar.google.com.  I was trying to make an appointment, and now I'm doing this. I remember, in 2018, a friend trying to convince me that 500 Internal Server Errors no longer happened, or if they did it was my fault, and that they hadn't seen any for years, and some other things.  They assured me that they would love to see screenshots of such a rare specimen, which I bored them with for a while.  That friend happens to be a Google employee. Well, there are plenty of others posting about Google Calendar on twitter today, including screenshots of 500 Internal Server errors, so I doubt this one is en
Read more

Guernsey Waste in incorrect bag-rejection horror May 6th, 2024

Image
The rubbish collection folk at my new place seem pickier than at other places on Guernsey. Last week, they removed some card packaging that I'd included in the card and paper (plastic) clear bag, and left it on the lane.  This week, they have attached a rejection label entitled "Polite Notice".  Just like modern software-engineered error messages (see attached tag "extremely_general_error_handling"), this does not give a specific reason why the bag was rejected, but instead lists miscellaneous possible "reasons", leaving the victim guessing, or perhaps trying to follow a process of elimination. In this case, some possible reasons, which the label does not claim to be exhaustive ("was most likely because ..."), and of which none apply, are: (i) "did not have the required payment sticker" -- no, I applied to 90 litre sticker; or  (ii) (a) "too heavy" -- no, I estimate it was 3kg, and I easily supported the bag's weight o
Read more