Mercurial > hg > nginx-tests
changeset 1945:0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly
asked not to. Such certificates, even self-signed ones, cannot be used to sign
other certificates without CA:TRUE explicitly set in the basicConstraints
extension. As a result, tests doing so are now failing.
Fix is to provide basicConstraints with CA:TRUE for self-signed root
certificates used in "openssl ca" calls.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 29 Jan 2024 00:34:16 +0300 |
parents | c287864444f8 |
children | 374722806924 |
files | ssl.t ssl_certificate_chain.t ssl_crl.t ssl_ocsp.t ssl_stapling.t ssl_verify_depth.t |
diffstat | 6 files changed, 18 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/ssl.t Mon Jan 22 23:17:24 2024 +0400 +++ b/ssl.t Mon Jan 29 00:34:16 2024 +0300 @@ -116,7 +116,10 @@ default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF my $d = $t->testdir();
--- a/ssl_certificate_chain.t Mon Jan 22 23:17:24 2024 +0400 +++ b/ssl_certificate_chain.t Mon Jan 29 00:34:16 2024 +0300 @@ -71,7 +71,10 @@ default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF);
--- a/ssl_crl.t Mon Jan 22 23:17:24 2024 +0400 +++ b/ssl_crl.t Mon Jan 29 00:34:16 2024 +0300 @@ -79,7 +79,10 @@ default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF);
--- a/ssl_ocsp.t Mon Jan 22 23:17:24 2024 +0400 +++ b/ssl_ocsp.t Mon Jan 29 00:34:16 2024 +0300 @@ -116,7 +116,10 @@ default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF);
--- a/ssl_stapling.t Mon Jan 22 23:17:24 2024 +0400 +++ b/ssl_stapling.t Mon Jan 29 00:34:16 2024 +0300 @@ -125,7 +125,10 @@ default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF);
--- a/ssl_verify_depth.t Mon Jan 22 23:17:24 2024 +0400 +++ b/ssl_verify_depth.t Mon Jan 29 00:34:16 2024 +0300 @@ -76,7 +76,10 @@ default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF);