aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test/make_certs.erl
diff options
context:
space:
mode:
authorPaul Guyot <[email protected]>2010-08-04 11:44:41 +0200
committerBjörn Gustavsson <[email protected]>2010-08-18 13:36:42 +0200
commit60b61d948a472fc7c519bba25aefc409b28d08e8 (patch)
treee7060ae7d54220cf6dc1be14b60add0ae4133353 /lib/ssl/test/make_certs.erl
parent0d553b45b5c3ae8287340887f271bc70f1f1370c (diff)
downloadotp-60b61d948a472fc7c519bba25aefc409b28d08e8.tar.gz
otp-60b61d948a472fc7c519bba25aefc409b28d08e8.tar.bz2
otp-60b61d948a472fc7c519bba25aefc409b28d08e8.zip
Fix bug in ssl handshake protocol related to the choice of cipher suites
in client hello message when a client certificate is used The client hello message now always include ALL available cipher suites (or those specified by the ciphers option). Previous implementation would filter them based on the client certificate key usage extension (such filtering only makes sense for the server certificate).
Diffstat (limited to 'lib/ssl/test/make_certs.erl')
-rw-r--r--lib/ssl/test/make_certs.erl16
1 files changed, 14 insertions, 2 deletions
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 0cdf33c3e2..3c18a905b4 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -90,8 +90,10 @@ enduser(Root, OpenSSLCmd, CA, User) ->
KeyFile = filename:join([UsrRoot, "key.pem"]),
ReqFile = filename:join([UsrRoot, "req.pem"]),
create_req(Root, OpenSSLCmd, CnfFile, KeyFile, ReqFile),
- CertFile = filename:join([UsrRoot, "cert.pem"]),
- sign_req(Root, OpenSSLCmd, CA, "user_cert", ReqFile, CertFile).
+ CertFileAllUsage = filename:join([UsrRoot, "cert.pem"]),
+ sign_req(Root, OpenSSLCmd, CA, "user_cert", ReqFile, CertFileAllUsage),
+ CertFileDigitalSigOnly = filename:join([UsrRoot, "digital_signature_only_cert.pem"]),
+ sign_req(Root, OpenSSLCmd, CA, "user_cert_digital_signature_only", ReqFile, CertFileDigitalSigOnly).
collect_certs(Root, CAs, Users) ->
Bins = lists:foldr(
@@ -255,6 +257,7 @@ ca_cnf(CA) ->
"RANDFILE = $dir/private/RAND\n"
"\n"
"x509_extensions = user_cert\n"
+ "unique_subject = no\n"
"default_days = 3600\n"
"default_md = sha1\n"
"preserve = no\n"
@@ -279,6 +282,15 @@ ca_cnf(CA) ->
"issuerAltName = issuer:copy\n"
"\n"
+ "[user_cert_digital_signature_only]\n"
+ "basicConstraints = CA:false\n"
+ "keyUsage = digitalSignature\n"
+ "subjectKeyIdentifier = hash\n"
+ "authorityKeyIdentifier = keyid,issuer:always\n"
+ "subjectAltName = email:copy\n"
+ "issuerAltName = issuer:copy\n"
+ "\n"
+
"[ca_cert]\n"
"basicConstraints = critical,CA:true\n"
"keyUsage = cRLSign, keyCertSign\n"