# HG changeset patch # User Maxim Dounin # Date 1706477656 -10800 # Node ID 0b5ec15c62edc4559be4bfc99f2ac041f96034a3 # Parent c287864444f81413e0621981c2dad7c184aa6dfc Tests: compatibility with "openssl" app from OpenSSL 3.2.0. OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly asked not to. Such certificates, even self-signed ones, cannot be used to sign other certificates without CA:TRUE explicitly set in the basicConstraints extension. As a result, tests doing so are now failing. Fix is to provide basicConstraints with CA:TRUE for self-signed root certificates used in "openssl ca" calls. diff --git a/ssl.t b/ssl.t --- a/ssl.t +++ b/ssl.t @@ -116,7 +116,10 @@ EOF default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF my $d = $t->testdir(); diff --git a/ssl_certificate_chain.t b/ssl_certificate_chain.t --- a/ssl_certificate_chain.t +++ b/ssl_certificate_chain.t @@ -71,7 +71,10 @@ my $d = $t->testdir(); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <testdir(); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <write_file('ca.conf', <write_file('ca.conf', <testdir(); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <