comparison ssl_crl.t @ 1945:0b5ec15c62ed

Tests: compatibility with "openssl" app from OpenSSL 3.2.0. OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly asked not to. Such certificates, even self-signed ones, cannot be used to sign other certificates without CA:TRUE explicitly set in the basicConstraints extension. As a result, tests doing so are now failing. Fix is to provide basicConstraints with CA:TRUE for self-signed root certificates used in "openssl ca" calls.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 29 Jan 2024 00:34:16 +0300
parents a797d7428fa5
children
comparison
equal deleted inserted replaced
1944:c287864444f8 1945:0b5ec15c62ed
77 $t->write_file('openssl.conf', <<EOF); 77 $t->write_file('openssl.conf', <<EOF);
78 [ req ] 78 [ req ]
79 default_bits = 2048 79 default_bits = 2048
80 encrypt_key = no 80 encrypt_key = no
81 distinguished_name = req_distinguished_name 81 distinguished_name = req_distinguished_name
82 x509_extensions = myca_extensions
82 [ req_distinguished_name ] 83 [ req_distinguished_name ]
84 [ myca_extensions ]
85 basicConstraints = critical,CA:TRUE
83 EOF 86 EOF
84 87
85 $t->write_file('ca.conf', <<EOF); 88 $t->write_file('ca.conf', <<EOF);
86 [ ca ] 89 [ ca ]
87 default_ca = myca 90 default_ca = myca