Skip to content

session mbedtls, openssl UPDATE enforce EKU and KU set by client#618

Closed
niklas-moser wants to merge 1 commit into
CESNET:masterfrom
niklas-moser:tls_client_enforce_eku_and_ku_extensions
Closed

session mbedtls, openssl UPDATE enforce EKU and KU set by client#618
niklas-moser wants to merge 1 commit into
CESNET:masterfrom
niklas-moser:tls_client_enforce_eku_and_ku_extensions

Conversation

@niklas-moser

Copy link
Copy Markdown

O-RAN Work Group 11 (Security Work Group) defines in Test Specification 6.9.3 the following test case:

  1. Verify a Certificate with Incorrect or Missing Usage Extensions:
  • Set up a certificate with incorrect or missing key usage or extended key usage extensions.
  • Attempt to use the certificate for its intended purpose.
  • Verify that the certificate is rejected.

Here, O-RAN is stricter then RFC 5280, section 4.2.1.12, which does not require the KU or EKU extensions to be set.

This PR adds the enforcement of these extensions to be set by the client (for the mbedtls and openssl implementation), thus aligning with the O-RAN specification.

Let me know what you think!
Thank you
Niklas

@michalvasko

michalvasko commented Jul 7, 2026

Copy link
Copy Markdown
Member

We are implementing only the base YANG and NETCONF specification and that must be the default behavior. Supporting this O-RAN specification is fine but it must be optional so please adjust it. Whether you make it compile-dependent or add a full YANG option for TLS sessions is up to you but the latter would be preferred (much more difficult, though).

Also, please target the devel branch, we do not accept PRs into master.

…Key Usage (KU) set by client, optional through compile-time flag

Signed-off-by: Niklas Moser <niklas.moser@srs.io>
@niklas-moser niklas-moser force-pushed the tls_client_enforce_eku_and_ku_extensions branch from 4cce4ee to bffe16c Compare July 7, 2026 12:41
@niklas-moser

Copy link
Copy Markdown
Author

Thank you! I opted for the compile-time flag for now. I will close the PR here and open it again with devel as target branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants