ejabberd icon indicating copy to clipboard operation
ejabberd copied to clipboard
verified publisher icon processone

Cannot use critical constraints in the server certificate.

Open phibbs7 opened this issue 4 years ago • 0 comments

Environment

  • ejabberd version: 21.01-2
  • Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 11.1.8
  • OS: Linux (Debian 11)
  • Installed from: distro package

Errors from error.log/crash.log

No errors

Bug description

Please, give us a precise description (what does not work, what is expected, etc.)

Attempting to use a certificate chain as a server certificate with a critical flag on the X509v3 Basic Constraints causes ejabberd to reject the chain with the following error in ejabberd.log:

[warning] <0.355.0>@ejabberd_pkix:log_warnings/1:393
 Invalid certificate in /etc/ejabberd/ejabberd.pem: at line 43:
 unknown_critical_extension

The only critical constraints in this certificate chain are:

X509v3 Basic Constraints: critical
                CA:FALSE
X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0

and

X509v3 Basic Constraints: critical
                CA:TRUE

I cannot change these constraints as they are defined by the CA. I would expect that the most basic of CA flag checks would be handled correctly by whatever TLS library is used.

phibbs7 avatar Aug 08 '21 06:08 phibbs7