From a625a0b1f0d822b3224b7b29565fe9733b634afd Mon Sep 17 00:00:00 2001
From: Andrei Zeliankou <zelenkov@nginx.com>
Date: Mon, 8 Apr 2024 02:18:37 +0100
Subject: Tests: compatibility with OpenSSL 3.2.0

OpenSSL 3.2.0 generates X.509v3 certificates by default. These
certificates, even self-signed, cannot sign other certificates unless
"CA:TRUE" is explicitly set in the basicConstraints extension.
As a result, tests attempting this are currently failing.

Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root
certificates used in "openssl ca" commands.

Closes: https://github.com/nginx/unit/issues/1202
Tested-by: Andrew Clayton <a.clayton@nginx.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
---
 test/unit/applications/tls.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/unit/applications/tls.py b/test/unit/applications/tls.py
index 75354dd9..b48293be 100644
--- a/test/unit/applications/tls.py
+++ b/test/unit/applications/tls.py
@@ -85,9 +85,13 @@ subjectAltName = @alt_names
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 
 {a_sec if alt_names else ""}
-[ req_distinguished_name ]'''
+[ req_distinguished_name ]
+
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE'''
             )
 
     def load(self, script, name=None):
-- 
cgit