summaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorRich Salz <rsalz@openssl.org>2016-06-13 04:21:54 +0200
committerRich Salz <rsalz@openssl.org>2016-06-13 15:18:22 +0200
commita7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (patch)
treead030fac8b3b0582d0dd76e16dfe5cd2158ba5e0 /apps
parentbn/bn_add.c: favour counted loops over ifs and breaks. (diff)
downloadopenssl-a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706.tar.xz
openssl-a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706.zip
RT3809: basicConstraints is critical
This is really a security bugfix, not enhancement any more. Everyone knows critical extensions. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'apps')
-rw-r--r--apps/openssl-vms.cnf6
-rw-r--r--apps/openssl.cnf6
2 files changed, 2 insertions, 10 deletions
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 5b3a27fc4b..0092a650cb 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef044..b3e7444e5f 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best