Branch: refs/heads/2.3.0
Home:
https://github.com/Checkmk/checkmk
Commit: d4c74f729651c75b5a63854539e271150886478f
https://github.com/Checkmk/checkmk/commit/d4c74f729651c75b5a63854539e271150…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
A .werks/16614.md
M cmk/gui/watolib/config_domains.py
M tests/unit/cmk/gui/watolib/test_config_domains.py
Log Message:
-----------
16614 FIX Ignore CAs with negative serial numbers
Cryptography started to warn about certificates with negative serial
numbers.
There is a RFC that deprecated them but there still are CAs from before
that that were perfectly fine when issued.
Since cryptography does not use the "normal" DeprecationWarnings the
warnings are written to stderr so we build some workaround to convert
them to exceptions so we could catch them.
Originally we logged some warrning to the user but apparently this
confused more than it helped so we decided to silently ignore these
warnings.
For more details see CMK-16410.
Fyi, we only stumbled upon one CA that uses a negative serial number and
that is `EC-ACC` of `O = Agencia Catalana de Certificacio (NIF Q-0801176-I)`
(fingerprint:
`28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8`)
Change-Id: I56ca87624703416cae5584607b2552bee84ee627
(cherry picked from commit 2f85f8ee276a9bfd3a27dfb00c2d972605ebc9b6)
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications