Mercurial > hg > nginx-tests

changeset 1945:0b5ec15c62ed

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: compatibility with "openssl" app from OpenSSL 3.2.0. OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly asked not to. Such certificates, even self-signed ones, cannot be used to sign other certificates without CA:TRUE explicitly set in the basicConstraints extension. As a result, tests doing so are now failing. Fix is to provide basicConstraints with CA:TRUE for self-signed root certificates used in "openssl ca" calls.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 29 Jan 2024 00:34:16 +0300
parents c287864444f8
children 374722806924
files ssl.t ssl_certificate_chain.t ssl_crl.t ssl_ocsp.t ssl_stapling.t ssl_verify_depth.t
diffstat 6 files changed, 18 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/ssl.t
+++ b/ssl.t
@@ -116,7 +116,10 @@ EOF
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 my $d = $t->testdir();
--- a/ssl_certificate_chain.t
+++ b/ssl_certificate_chain.t
@@ -71,7 +71,10 @@ my $d = $t->testdir();
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
--- a/ssl_crl.t
+++ b/ssl_crl.t
@@ -79,7 +79,10 @@ my $d = $t->testdir();
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
--- a/ssl_ocsp.t
+++ b/ssl_ocsp.t
@@ -116,7 +116,10 @@ my $p = port(8081);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -125,7 +125,10 @@ my $p = port(8081);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
--- a/ssl_verify_depth.t
+++ b/ssl_verify_depth.t
@@ -76,7 +76,10 @@ my $d = $t->testdir();
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);