1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-11 09:18:07 +03:00

test: make sure the dummy CA certificate is marked as such

With OpenSSL 3.2.0+ this is necessary, otherwise the verification
of such CA certificate fails badly:

$ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532
...
Connecting to ::1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA
verify error:num=79:invalid CA certificate
verify return:1
depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA
verify error:num=26:unsuitable certificate purpose
verify return:1
...
---
SSL handshake has read 1566 bytes and written 409 bytes
Verification error: unsuitable certificate purpose
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 26 (unsuitable certificate purpose)
This commit is contained in:
Frantisek Sumsal 2023-12-23 13:33:11 +01:00
parent 338ed5bea4
commit 4e5984f027

View File

@ -109,6 +109,11 @@ L = Brno
O = Foo
OU = Bar
CN = Test CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
EOF
cat >/run/systemd/remote-pki/client.conf <<EOF
[ req ]
@ -136,9 +141,11 @@ CN = localhost
EOF
# Generate a dummy CA
openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \
-extensions v3_ca \
-config /run/systemd/remote-pki/ca.conf \
-keyout /run/systemd/remote-pki/ca.key \
-out /run/systemd/remote-pki/ca.crt
openssl x509 -in /run/systemd/remote-pki/ca.crt -noout -text
echo 01 >/run/systemd/remote-pki/ca.srl
# Generate a client key and signing request
openssl req -nodes -newkey rsa:2048 -sha256 \