RT3809: basicConstraints is critical

This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 5b3a27fc4b5ac55b1329ac193cd52a7d206aa33d..0092a650cb97bfbe687b04e9d5d7f929235ca42d 100644 (file)
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef04481f40ab70e7c2cec9eee45357ff05b..b3e7444e5f22ef37be939d1cb51dd5dc1aa66acf 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best

diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index a891c3eeef76eb9fc0b79b5d7d48dffda2c91110..299d092799636fcb51f501f7be3e9665e9319c29 100644 (file)
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -543,7 +543,7 @@ Sample configuration file prompting for field values:
 
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
- basicConstraints = CA:true
+ basicConstraints = critical, CA:true
 
 Sample configuration containing all field values:
 

diff --git a/test/CAss.cnf b/test/CAss.cnf
index 336e82fd52ed4510b843b90623f3ea4e057d29f5..b20a2427603ba9f9507a76251a31706497417e4c 100644 (file)
--- a/test/CAss.cnf
+++ b/test/CAss.cnf
@@ -71,6 +71,6 @@ emailAddress          = optional
 [ v3_ca ]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true,pathlen:1
+basicConstraints = critical,CA:true,pathlen:1
 keyUsage = cRLSign, keyCertSign
 issuerAltName=issuer:copy

diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index ec2e3740380bb2a6dbe43c1d0e6f77899c9495b1..daa0679ee8d2ff0f8e1c23bec4f8265edc73700c 100755 (executable)
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -88,7 +88,7 @@ genroot() {
     local skid="subjectKeyIdentifier = hash"
     local akid="authorityKeyIdentifier = keyid"
 
-    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
     for eku in "$@"
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
@@ -107,7 +107,7 @@ genca() {
     local skid="subjectKeyIdentifier = hash"
     local akid="authorityKeyIdentifier = keyid"
 
-    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
+    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
     for eku in "$@"
     do
         exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")