[openssl-dev] [openssl.org #3809] [enhancement request] add critical to basicContraints in openssl.cnf
Daniel Etzold via RT
rt at openssl.org
Fri Apr 17 20:09:15 UTC 2015
The configuration file openssl.cnf in the repository in path app/ has the
following entry for a “typical CA”:
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
These settings date back to year 1999. [1, 2]
As I understand RFC 5280 correctly conforming CAs must mark the
basicContraints extension as critical if the public key is used to validate
digital signatures on certificates. Since this is the “typical” case (and
the configuration is for a “typical CA”) I would like to suggest to change
the default behaviour and set the basicConstraints extension to critical by
default.
I think the right way is not to “fix” the configuration file so that it
works with broken software. Instead the default settings should be as close
as possible to the RFC.
Sources:
RFC 5280:
“Conforming CAs MUST include this extension in all CA certificates that
contain public keys used to validate digital signatures on certificates and
MUST mark the extension as critical in such certificates.”
[1]
https://github.com/openssl/openssl/commit/257e206da6b42181b0dc8976792164c4d9cff89b#diff-8ce6aaad88b10ed2b3b4592fd5c8e03a
[2]
https://github.com/openssl/openssl/commit/b2347661cef9447600a77b33575639a1bce6725c
More information about the openssl-dev
mailing list