diff options
| author |   Scott Murray <scott.murray@konsulko.com> | 2022-07-11 19:29:53 -0400 |
|---|---|---|
| committer |   Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2022-07-13 21:58:38 +0000 |
| commit | 08977ac24f2d31b0955786824c9ff62eff981ee9 (patch) | |
| tree | 5315c8605e38eee12b164a9884891168900516d8 /recipes-connectivity/kuksa-val/kuksa-val_git.bb | |
| parent | ff1776b06bc54c36d199f9061f1ff78c7b3db027 (diff) | |
kuksa-val: add regenerated server certificateneedlefish_13.91.0needlefish/13.91.013.91.0
After fixing the issue with the SSL context purpose in the Python
client library, client connections were still failing with the
error:
certificate verify failed: IP address mismatch, certificate is not valid for localhost
To fix this, the certificate generation script has been patched to
create the now required Subject Alt Name extension field, as that has
effectively replaced using the CN field in most SSL implementations.
Replacement Server.key and Server.pem files generated with the
updated script have been added to give us a working configuration
while this is worked with upstream so their default configuration is
usable with newer Python + OpenSSL versions.
Bug-AGL: SPEC-4467
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: I9e8374fbbef6e8570b16d87f4e1800ceba8aacad
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-val_git.bb')
| -rw-r--r-- | recipes-connectivity/kuksa-val/kuksa-val_git.bb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb index a8e2c31f..8bfa5ab6 100644 --- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb +++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb @@ -18,6 +18,9 @@ SRC_URI += "file://kuksa-val.service \ file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch \ file://0003-Make-install-locations-configurable.patch \ file://0004-Disable-default-fetch-and-build-of-googletest.patch \ + file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch \ + file://Server.key \ + file://Server.pem \ " inherit cmake pkgconfig systemd useradd @@ -48,6 +51,17 @@ do_install:append() { install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir} fi + # Install replacement server key + certificate + # These are AGL specific versions generated using a tweaked + # genCerts.sh script from the source tree that adds the now + # required subjectAltName extension field to make python3-ssl + # happy. This will be addressed with upstream and can hopefully + # be dropped in the future. + rm -f ${D}${sysconfdir}/kuksa-val/Server.key + install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/ + rm -f ${D}${sysconfdir}/kuksa-val/Server.pem + install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/ + # Restrict server certificate access # NOTE: The client certificates are left alone here for client # development convenience for now, but this will need to |