diff options
author | Sorah Fukumori <her@sorah.jp> | 2020-04-03 00:49:12 +0900 |
---|---|---|
committer | Sorah Fukumori <her@sorah.jp> | 2020-04-03 00:49:12 +0900 |
commit | 0f57d66f9e1e7bf4419d9d3a70132bbc4006f9fe (patch) | |
tree | de84dfbdb59fc678a1350f7cdad058dcb87ea54d /lib/webrick | |
parent | 9ddf1472375a590d1b1c3856f90fedf151fe30a3 (diff) | |
download | ruby-0f57d66f9e1e7bf4419d9d3a70132bbc4006f9fe.tar.gz |
webrick/ssl: More keyUsage for self-signed certs
Chrome 75+ started to strictly enforce X.509 keyUsage against TLS server
certificates. Webrick supports generating instant self-signed
certificates for debugging purpose and these certificates lacks required
keyUsage for modern TLS. So adding the following keyUsages:
- digitalSignature (for server authentication)
- keyAgreement (for DH key exchange)
- dataEncipherment (for data encryption)
References:
- https://tools.ietf.org/html/rfc5280#section-4.2.1.3
- https://crbug.com/795089
- https://boringssl-review.googlesource.com/c/34604
Diffstat (limited to 'lib/webrick')
-rw-r--r-- | lib/webrick/ssl.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/webrick/ssl.rb b/lib/webrick/ssl.rb index d125083528..ab1837fda6 100644 --- a/lib/webrick/ssl.rb +++ b/lib/webrick/ssl.rb @@ -122,7 +122,7 @@ module WEBrick ef.issuer_certificate = cert cert.extensions = [ ef.create_extension("basicConstraints","CA:FALSE"), - ef.create_extension("keyUsage", "keyEncipherment"), + ef.create_extension("keyUsage", "keyEncipherment, digitalSignature, keyAgreement, dataEncipherment"), ef.create_extension("subjectKeyIdentifier", "hash"), ef.create_extension("extendedKeyUsage", "serverAuth"), ef.create_extension("nsComment", comment), |