Commit a7be5759 authored Jun 12, 2016 by Rich Salz

RT3809: basicConstraints is critical



This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

parent 7d628405

apps/openssl-vms.cnf

+1 −5

Original line number	Diff line number	Diff line
		@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash

		authorityKeyIdentifier=keyid:always,issuer

		# This is what PKIX recommends but some broken software chokes on critical
		# extensions.
		#basicConstraints = critical,CA:true
		# So we do this instead.
		basicConstraints = CA:true
		basicConstraints = critical,CA:true

		# Key usage: this is typical for a CA certificate. However since it will
		# prevent it being used as an test self-signed certificate it is best

apps/openssl.cnf

+1 −5

Original line number	Diff line number	Diff line
		@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash

		authorityKeyIdentifier=keyid:always,issuer

		# This is what PKIX recommends but some broken software chokes on critical
		# extensions.
		#basicConstraints = critical,CA:true
		# So we do this instead.
		basicConstraints = CA:true
		basicConstraints = critical,CA:true

		# Key usage: this is typical for a CA certificate. However since it will
		# prevent it being used as an test self-signed certificate it is best

doc/apps/req.pod

+1 −1

Original line number	Diff line number	Diff line
		@@ -543,7 +543,7 @@ Sample configuration file prompting for field values:

		subjectKeyIdentifier=hash
		authorityKeyIdentifier=keyid:always,issuer:always
		basicConstraints = CA:true
		basicConstraints = critical, CA:true

		Sample configuration containing all field values:

test/CAss.cnf

+1 −1

Original line number	Diff line number	Diff line
		@@ -71,6 +71,6 @@ emailAddress = optional
		[ v3_ca ]
		subjectKeyIdentifier=hash
		authorityKeyIdentifier=keyid:always,issuer:always
		basicConstraints = CA:true,pathlen:1
		basicConstraints = critical,CA:true,pathlen:1
		keyUsage = cRLSign, keyCertSign
		issuerAltName=issuer:copy

test/certs/mkcert.sh

+2 −2

Original line number	Diff line number	Diff line
		@@ -88,7 +88,7 @@ genroot() {
		local skid="subjectKeyIdentifier = hash"
		local akid="authorityKeyIdentifier = keyid"

		exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
		exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
		for eku in "$@"
		do
		exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
		@@ -107,7 +107,7 @@ genca() {
		local skid="subjectKeyIdentifier = hash"
		local akid="authorityKeyIdentifier = keyid"

		exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
		exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
		for eku in "$@"
		do
		exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")