The configuration file openssl.cnf in the repository in path app/ has the following entry for a “typical CA”:
# This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true These settings date back to year 1999. [1, 2] As I understand RFC 5280 correctly conforming CAs must mark the basicContraints extension as critical if the public key is used to validate digital signatures on certificates. Since this is the “typical” case (and the configuration is for a “typical CA”) I would like to suggest to change the default behaviour and set the basicConstraints extension to critical by default. I think the right way is not to “fix” the configuration file so that it works with broken software. Instead the default settings should be as close as possible to the RFC. Sources: RFC 5280: “Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.” [1] https://github.com/openssl/openssl/commit/257e206da6b42181b0dc8976792164c4d9cff89b#diff-8ce6aaad88b10ed2b3b4592fd5c8e03a [2] https://github.com/openssl/openssl/commit/b2347661cef9447600a77b33575639a1bce6725c _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
