Mercurial > hg > nginx-tests
comparison ssl_stapling.t @ 1945:0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly
asked not to. Such certificates, even self-signed ones, cannot be used to sign
other certificates without CA:TRUE explicitly set in the basicConstraints
extension. As a result, tests doing so are now failing.
Fix is to provide basicConstraints with CA:TRUE for self-signed root
certificates used in "openssl ca" calls.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 29 Jan 2024 00:34:16 +0300 |
| parents | 1ba5108b6c24 |
| children | 0a93f101925a |
comparison
equal
deleted
inserted
replaced
| 1944:c287864444f8 | 1945:0b5ec15c62ed |
|---|---|
| 123 $t->write_file('openssl.conf', <<EOF); | 123 $t->write_file('openssl.conf', <<EOF); |
| 124 [ req ] | 124 [ req ] |
| 125 default_bits = 2048 | 125 default_bits = 2048 |
| 126 encrypt_key = no | 126 encrypt_key = no |
| 127 distinguished_name = req_distinguished_name | 127 distinguished_name = req_distinguished_name |
| 128 x509_extensions = myca_extensions | |
| 128 [ req_distinguished_name ] | 129 [ req_distinguished_name ] |
| 130 [ myca_extensions ] | |
| 131 basicConstraints = critical,CA:TRUE | |
| 129 EOF | 132 EOF |
| 130 | 133 |
| 131 $t->write_file('ca.conf', <<EOF); | 134 $t->write_file('ca.conf', <<EOF); |
| 132 [ ca ] | 135 [ ca ] |
| 133 default_ca = myca | 136 default_ca = myca |