diff options
author | Rich Salz <rsalz@openssl.org> | 2016-06-12 22:21:54 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-06-13 09:18:22 -0400 |
commit | a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (patch) | |
tree | ad030fac8b3b0582d0dd76e16dfe5cd2158ba5e0 /apps/openssl-vms.cnf | |
parent | 7d6284057b66458f6c99bd65ba67377d63411090 (diff) | |
download | openssl-a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706.zip openssl-a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706.tar.gz openssl-a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706.tar.bz2 |
RT3809: basicConstraints is critical
This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'apps/openssl-vms.cnf')
-rw-r--r-- | apps/openssl-vms.cnf | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 5b3a27f..0092a65 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -233,11 +233,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true +basicConstraints = critical,CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best |