From: elijah <elijah@riseup.net>
Date: Tue, 11 Dec 2012 10:19:27 +0000 (-0800)
Subject: add keyEncipherment to server certs
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=4a63e8c258025f91f4f3e37385fe2dfc0fc579ad;p=leap%2Fleap_cli.git

add keyEncipherment to server certs
---

diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb
index d6fd975..c87dcea 100644
--- a/lib/leap_cli/commands/ca.rb
+++ b/lib/leap_cli/commands/ca.rb
@@ -267,8 +267,15 @@ module LeapCli; module Commands
   end
 
   #
-  # for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable.
-  # going with keyAgreement for now.
+  # For keyusage, openvpn server certs can have keyEncipherment or keyAgreement.
+  # Web browsers seem to break without keyEncipherment.
+  #
+  # * digitalSignature ==> for (EC)DHE cipher suites
+  # * keyEncipherment  ==> for plain RSA cipher suites
+  # * keyAgreement     ==> for used with DH, not RSA.
+  #
+  # I am including all three because that seems to work in all cases. I am not sure if this
+  # is the right thing to do.
   #
   # digest options: SHA512, SHA256, SHA1
   #
@@ -277,10 +284,10 @@ module LeapCli; module Commands
       "digest" => manager.provider.ca.server_certificates.digest,
       "extensions" => {
         "keyUsage" => {
-          "usage" => ["digitalSignature", "keyAgreement"]
+          "usage" => ["digitalSignature", "keyEncipherment", "keyAgreement"]
         },
         "extendedKeyUsage" => {
-          "usage" => ["serverAuth"]
+          "usage" => ["serverAuth", "clientAuth"]
         },
         "subjectAltName" => {
           "ips" => [node.ip_address],