[checkmk-commits] [Checkmk/checkmk] d4c74f: 16614 FIX Ignore CAs with negative serial numbers

Branch: refs/heads/2.3.0 Home: https://github.com/Checkmk/checkmk Commit: d4c74f729651c75b5a63854539e271150886478f https://github.com/Checkmk/checkmk/commit/d4c74f729651c75b5a63854539e271150… Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com> Date: 2024-03-13 (Wed, 13 Mar 2024) Changed paths: A .werks/16614.md M cmk/gui/watolib/config_domains.py M tests/unit/cmk/gui/watolib/test_config_domains.py Log Message: ----------- 16614 FIX Ignore CAs with negative serial numbers Cryptography started to warn about certificates with negative serial numbers. There is a RFC that deprecated them but there still are CAs from before that that were perfectly fine when issued. Since cryptography does not use the "normal" DeprecationWarnings the warnings are written to stderr so we build some workaround to convert them to exceptions so we could catch them. Originally we logged some warrning to the user but apparently this confused more than it helped so we decided to silently ignore these warnings. For more details see CMK-16410. Fyi, we only stumbled upon one CA that uses a negative serial number and that is `EC-ACC` of `O = Agencia Catalana de Certificacio (NIF Q-0801176-I)` (fingerprint: `28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8`) Change-Id: I56ca87624703416cae5584607b2552bee84ee627 (cherry picked from commit 2f85f8ee276a9bfd3a27dfb00c2d972605ebc9b6) To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications