[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Mon Jun 13 13:18:46 UTC 2016
The branch master has been updated
via a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (commit)
from 7d6284057b66458f6c99bd65ba67377d63411090 (commit)
- Log -----------------------------------------------------------------
commit a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706
Author: Rich Salz <rsalz at openssl.org>
Date: Sun Jun 12 22:21:54 2016 -0400
RT3809: basicConstraints is critical
This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.
Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/openssl-vms.cnf | 6 +-----
apps/openssl.cnf | 6 +-----
doc/apps/req.pod | 2 +-
test/CAss.cnf | 2 +-
test/certs/mkcert.sh | 4 ++--
5 files changed, 6 insertions(+), 14 deletions(-)
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 5b3a27f..0092a65 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef..b3e7444 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index a891c3e..299d092 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -543,7 +543,7 @@ Sample configuration file prompting for field values:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
- basicConstraints = CA:true
+ basicConstraints = critical, CA:true
Sample configuration containing all field values:
diff --git a/test/CAss.cnf b/test/CAss.cnf
index 336e82f..b20a242 100644
--- a/test/CAss.cnf
+++ b/test/CAss.cnf
@@ -71,6 +71,6 @@ emailAddress = optional
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true,pathlen:1
+basicConstraints = critical,CA:true,pathlen:1
keyUsage = cRLSign, keyCertSign
issuerAltName=issuer:copy
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index ec2e374..daa0679 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -88,7 +88,7 @@ genroot() {
local skid="subjectKeyIdentifier = hash"
local akid="authorityKeyIdentifier = keyid"
- exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+ exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
for eku in "$@"
do
exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
@@ -107,7 +107,7 @@ genca() {
local skid="subjectKeyIdentifier = hash"
local akid="authorityKeyIdentifier = keyid"
- exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+ exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
for eku in "$@"
do
exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
More information about the openssl-commits
mailing list