QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-05-11 08:59:40 +00:00
Code Issues Projects Releases Wiki Activity

RT3809: basicConstraints is critical

Browse Source 
This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This commit is contained in:
Rich Salz 2016-06-12 22:21:54 -04:00
parent 7d6284057b
commit a7be5759cf
5 changed files with 6 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/openssl-vms.cnf
View File

@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical basicConstraints = critical,CA:true
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will # Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best # prevent it being used as an test self-signed certificate it is best

6
apps/openssl.cnf
View File

@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical basicConstraints = critical,CA:true
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will # Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best # prevent it being used as an test self-signed certificate it is best

2
doc/apps/req.pod
View File

@ -543,7 +543,7 @@ Sample configuration file prompting for field values:
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true basicConstraints = critical, CA:true
Sample configuration containing all field values: Sample configuration containing all field values:

2
test/CAss.cnf
View File

@ -71,6 +71,6 @@ emailAddress = optional
[ v3_ca ] [ v3_ca ]
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true,pathlen:1 basicConstraints = critical,CA:true,pathlen:1
keyUsage = cRLSign, keyCertSign keyUsage = cRLSign, keyCertSign
issuerAltName=issuer:copy issuerAltName=issuer:copy

4
test/certs/mkcert.sh
View File

@ -88,7 +88,7 @@ genroot() {
local skid="subjectKeyIdentifier = hash" local skid="subjectKeyIdentifier = hash"
local akid="authorityKeyIdentifier = keyid" local akid="authorityKeyIdentifier = keyid"
exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
for eku in "$@" for eku in "$@"
do do
exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
@ -107,7 +107,7 @@ genca() {
local skid="subjectKeyIdentifier = hash" local skid="subjectKeyIdentifier = hash"
local akid="authorityKeyIdentifier = keyid" local akid="authorityKeyIdentifier = keyid"
exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
for eku in "$@" for eku in "$@"
do do
exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")