OpenSSL config file to lib dir

2019-03-20 00:47:43 +01:00 · 2019-03-20 00:47:43 +01:00 · e6c0fe0370
commit e6c0fe0370
parent 63ba0a5551
2 changed files with 71 additions and 1 deletions
--- a/src/Crypt/CryptConnection.py
+++ b/src/Crypt/CryptConnection.py
@ -15,7 +15,7 @@ class CryptConnectionManager:
            self.openssl_bin = "src\\lib\\opensslVerify\\openssl.exe"
        else:
            self.openssl_bin = "openssl"
-        self.openssl_env = {"OPENSSL_CONF": "src/lib/opensslVerify/openssl.cnf"}
+        self.openssl_env = {"OPENSSL_CONF": "src/lib/openssl/openssl.cnf"}

        self.crypt_supported = []  # Supported cryptos

--- a/src/lib/openssl/openssl.cnf
+++ b/src/lib/openssl/openssl.cnf
@ -0,0 +1,70 @@
+[ req ]
+prompt = no
+default_bits        = 1024
+default_keyfile     = server-key.pem
+distinguished_name  = subject
+req_extensions      = req_ext
+x509_extensions     = x509_ext
+string_mask         = utf8only
+
+# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
+#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
+[ subject ]
+countryName         = US
+stateOrProvinceName = NY
+localityName        = New York
+organizationName    = Example Company, LLC
+
+# Use a friendly name here because its presented to the user. The server's DNS
+#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
+#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
+#   must include the DNS name in the SAN too (otherwise, Chrome and others that
+#   strictly follow the CA/Browser Baseline Requirements will fail).
+commonName          = Example Company
+
+emailAddress        = test@example.com
+
+# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
+[ x509_ext ]
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+
+basicConstraints        = CA:FALSE
+keyUsage                = digitalSignature, keyEncipherment
+subjectAltName          = @alternate_names
+nsComment               = "OpenSSL Generated Certificate"
+
+# RFC 5280, Section 4.2.1.12 makes EKU optional
+# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
+# extendedKeyUsage  = serverAuth, clientAuth
+
+# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
+[ req_ext ]
+
+subjectKeyIdentifier    = hash
+
+basicConstraints        = CA:FALSE
+keyUsage                = digitalSignature, keyEncipherment
+subjectAltName          = @alternate_names
+nsComment               = "OpenSSL Generated Certificate"
+
+# RFC 5280, Section 4.2.1.12 makes EKU optional
+# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
+# extendedKeyUsage  = serverAuth, clientAuth
+
+[ alternate_names ]
+
+DNS.1       = example.company.com
+DNS.2       = www.example.company.com
+DNS.3       = mail.example.company.com
+DNS.4       = ftp.example.company.com
+
+# Add these if you need them. But usually you don't want them or
+#   need them in production. You may need them for development.
+# DNS.5       = localhost
+# DNS.6       = localhost.localdomain
+# DNS.7       = 127.0.0.1
+
+# IPv6 localhost
+# DNS.8     = ::1