Branch: refs/heads/master
Home:
https://github.com/Checkmk/checkmk
Commit: 2f85f8ee276a9bfd3a27dfb00c2d972605ebc9b6
https://github.com/Checkmk/checkmk/commit/2f85f8ee276a9bfd3a27dfb00c2d97260…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
A .werks/16614.md
M cmk/gui/watolib/config_domains.py
M tests/unit/cmk/gui/watolib/test_config_domains.py
Log Message:
-----------
16614 FIX Ignore CAs with negative serial numbers
Cryptography started to warn about certificates with negative serial
numbers.
There is a RFC that deprecated them but there still are CAs from before
that that were perfectly fine when issued.
Since cryptography does not use the "normal" DeprecationWarnings the
warnings are written to stderr so we build some workaround to convert
them to exceptions so we could catch them.
Originally we logged some warrning to the user but apparently this
confused more than it helped so we decided to silently ignore these
warnings.
For more details see CMK-16410.
Fyi, we only stumbled upon one CA that uses a negative serial number and
that is `EC-ACC` of `O = Agencia Catalana de Certificacio (NIF Q-0801176-I)`
(fingerprint:
`28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8`)
Change-Id: I56ca87624703416cae5584607b2552bee84ee627
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications