diff options
| author | Rich Salz <rsalz@openssl.org> | 2016-06-12 22:21:54 -0400 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-06-13 09:18:22 -0400 |
| commit | a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (patch) | |
| tree | ad030fac8b3b0582d0dd76e16dfe5cd2158ba5e0 | |
| parent | 7d6284057b66458f6c99bd65ba67377d63411090 (diff) | |
RT3809: basicConstraints is critical
This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
| -rw-r--r-- | apps/openssl-vms.cnf | 6 | ||||
| -rw-r--r-- | apps/openssl.cnf | 6 | ||||
| -rw-r--r-- | doc/apps/req.pod | 2 | ||||
| -rw-r--r-- | test/CAss.cnf | 2 | ||||
| -rwxr-xr-x | test/certs/mkcert.sh | 4 |
5 files changed, 6 insertions, 14 deletions
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 5b3a27fc4b..0092a650cb 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -233,11 +233,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true +basicConstraints = critical,CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 53c4bef044..b3e7444e5f 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -233,11 +233,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true +basicConstraints = critical,CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best diff --git a/doc/apps/req.pod b/doc/apps/req.pod index a891c3eeef..299d092799 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -543,7 +543,7 @@ Sample configuration file prompting for field values: subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always - basicConstraints = CA:true + basicConstraints = critical, CA:true Sample configuration containing all field values: diff --git a/test/CAss.cnf b/test/CAss.cnf index 336e82fd52..b20a242760 100644 --- a/test/CAss.cnf +++ b/test/CAss.cnf @@ -71,6 +71,6 @@ emailAddress = optional [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:true,pathlen:1 +basicConstraints = critical,CA:true,pathlen:1 keyUsage = cRLSign, keyCertSign issuerAltName=issuer:copy diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index ec2e374038..daa0679ee8 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -88,7 +88,7 @@ genroot() { local skid="subjectKeyIdentifier = hash" local akid="authorityKeyIdentifier = keyid" - exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true") for eku in "$@" do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") @@ -107,7 +107,7 @@ genca() { local skid="subjectKeyIdentifier = hash" local akid="authorityKeyIdentifier = keyid" - exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true") for eku in "$@" do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") |