RT3809: basicConstraints is critical

This is really a security bugfix, not enhancement any more. Everyone knows critical extensions. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Rich Salz <rsalz@openssl.org> 2016-06-12 22:21:54 -0400
committer: Rich Salz <rsalz@openssl.org> 2016-06-13 09:18:22 -0400
commit: a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (patch)
tree: ad030fac8b3b0582d0dd76e16dfe5cd2158ba5e0 /apps/openssl.cnf
parent: 7d6284057b66458f6c99bd65ba67377d63411090 (diff)
1 files changed, 1 insertions, 5 deletions
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef044..b3e7444e5f 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
author	Rich Salz <rsalz@openssl.org>	2016-06-12 22:21:54 -0400
committer	Rich Salz <rsalz@openssl.org>	2016-06-13 09:18:22 -0400
commit	a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (patch)
tree	ad030fac8b3b0582d0dd76e16dfe5cd2158ba5e0 /apps/openssl.cnf
parent	7d6284057b66458f6c99bd65ba67377d63411090 (diff)