Tests: compatibility with OpenSSL 3.2.0

OpenSSL 3.2.0 generates X.509v3 certificates by default. These certificates, even self-signed, cannot sign other certificates unless "CA:TRUE" is explicitly set in the basicConstraints extension. As a result, tests attempting this are currently failing. Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root certificates used in "openssl ca" commands. Closes: https://github.com/nginx/unit/issues/1202 Tested-by: Andrew Clayton <a.clayton@nginx.com> Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
author: Andrei Zeliankou <zelenkov@nginx.com> 2024-04-08 02:18:37 +0100
committer: andrey-zelenkov <xim.andrew@gmail.com> 2024-04-10 14:28:35 +0100
commit: a625a0b1f0d822b3224b7b29565fe9733b634afd (patch)
tree: 9feeba7e42fe00ee2f9e1e78113d961135f8ab2f
parent: 5f606742433f965f8308c4b4cd2c34424b8158a9 (diff)
download: unit-a625a0b1f0d822b3224b7b29565fe9733b634afd.tar.gz
unit-a625a0b1f0d822b3224b7b29565fe9733b634afd.tar.bz2
1 files changed, 5 insertions, 1 deletions
diff --git a/test/unit/applications/tls.py b/test/unit/applications/tls.py
index 75354dd9..b48293be 100644
--- a/test/unit/applications/tls.py
+++ b/test/unit/applications/tls.py
@@ -85,9 +85,13 @@ subjectAltName = @alt_names
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 
 {a_sec if alt_names else ""}
-[ req_distinguished_name ]'''
+[ req_distinguished_name ]
+
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE'''
             )
 
     def load(self, script, name=None):
author	Andrei Zeliankou <zelenkov@nginx.com>	2024-04-08 02:18:37 +0100
committer	andrey-zelenkov <xim.andrew@gmail.com>	2024-04-10 14:28:35 +0100
commit	a625a0b1f0d822b3224b7b29565fe9733b634afd (patch)
tree	9feeba7e42fe00ee2f9e1e78113d961135f8ab2f
parent	5f606742433f965f8308c4b4cd2c34424b8158a9 (diff)
download	unit-a625a0b1f0d822b3224b7b29565fe9733b634afd.tar.gz unit-a625a0b1f0d822b3224b7b29565fe9733b634afd.tar.bz2