apps/s_socket.c: address rare TLSProxy failures on Windows.

[openssl.git] / apps / openssl.cnf

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef04481f40ab70e7c2cec9eee45357ff05b..7d1a8bb6e7f06b7abf6df53dca4e3170b7fdd2f6 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -3,6 +3,10 @@
 # This is mostly being used for generation of certificate requests.
 #
 
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME                   = .
@@ -233,11 +237,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
@@ -348,3 +348,5 @@ tsa_name            = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
 ess_cert_id_chain      = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
+ess_cert_id_alg                = sha1  # algorithm to compute certificate
+                               # identifier (optional, default: sha1)