From 4e5984f0271dd14d24aa25ff1d5401378acaa7c4 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Sat, 23 Dec 2023 13:33:11 +0100 Subject: [PATCH] test: make sure the dummy CA certificate is marked as such With OpenSSL 3.2.0+ this is necessary, otherwise the verification of such CA certificate fails badly: $ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532 ... Connecting to ::1 CONNECTED(00000003) Can't use SSL_get_servername depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=79:invalid CA certificate verify return:1 depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA verify error:num=26:unsuitable certificate purpose verify return:1 ... --- SSL handshake has read 1566 bytes and written 409 bytes Verification error: unsuitable certificate purpose --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 26 (unsuitable certificate purpose) --- test/units/testsuite-04.journal-remote.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/units/testsuite-04.journal-remote.sh b/test/units/testsuite-04.journal-remote.sh index b7d9cbd81ba..c7b99b11fbb 100755 --- a/test/units/testsuite-04.journal-remote.sh +++ b/test/units/testsuite-04.journal-remote.sh @@ -109,6 +109,11 @@ L = Brno O = Foo OU = Bar CN = Test CA + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true EOF cat >/run/systemd/remote-pki/client.conf </run/systemd/remote-pki/ca.srl # Generate a client key and signing request openssl req -nodes -newkey rsa:2048 -sha256 \