From 63eb73dd4041f75aa6085d499646c415d507af37 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Sun, 8 May 2016 16:19:34 +0900
Subject: rack: tls_listener: fix certificate extensions

Since the (dummy generated) certificate is not a CA,
basicConstraints=cA:TRUE is not good. Also subjectKeyIdentifier is
missing.
---
 lib/plum/rack/listener.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/plum/rack/listener.rb b/lib/plum/rack/listener.rb
index ac60310..b335fb3 100644
--- a/lib/plum/rack/listener.rb
+++ b/lib/plum/rack/listener.rb
@@ -125,11 +125,9 @@ module Plum
         cert.serial = rand((1 << 20) - 1)
         cert.version = 2
 
-        ef = OpenSSL::X509::ExtensionFactory.new
-        ef.subject_certificate = cert
-        ef.issuer_certificate = cert
+        ef = OpenSSL::X509::ExtensionFactory.new(cert, cert)
         cert.extensions = [
-          ef.create_extension("basicConstraints", "CA:TRUE", true),
+          ef.create_extension("subjectKeyIdentifier", "hash")
         ]
         cert.sign(key, OpenSSL::Digest::SHA256.new)
 
-- 
cgit v1.2.3