From a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 Mon Sep 17 00:00:00 2001
From: Rich Salz <rsalz@openssl.org>
Date: Sun, 12 Jun 2016 22:21:54 -0400
Subject: RT3809: basicConstraints is critical

This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
---
 apps/openssl-vms.cnf | 6 +-----
 apps/openssl.cnf     | 6 +-----
 2 files changed, 2 insertions(+), 10 deletions(-)

(limited to 'apps')

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 5b3a27fc4b..0092a650cb 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef044..b3e7444e5f 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
-- 
cgit v1.2.3