Tests: compatibility with OpenSSL 3.2.0

OpenSSL 3.2.0 generates X.509v3 certificates by default. These certificates, even self-signed, cannot sign other certificates unless "CA:TRUE" is explicitly set in the basicConstraints extension. As a result, tests attempting this are currently failing. Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root certificates used in "openssl ca" commands. Closes: nginx#1202 Tested-by: Andrew Clayton <[email protected]> Reviewed-by: Andrew Clayton <[email protected]>
andrey-zelenkov · Apr 10, 2024 · 8923ec7 · 8923ec7
1 parent 5f60674
commit 8923ec7
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/test/unit/applications/tls.py b/test/unit/applications/tls.py
@@ -85,9 +85,13 @@ def openssl_conf(self, rewrite=False, alt_names=None):
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 
 {a_sec if alt_names else ""}
-[ req_distinguished_name ]'''
+[ req_distinguished_name ]
+
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE'''
             )
 
     def load(self, script, name=None):