Patch-Source: https://github.com/nginx/nginx-tests/commit/953461781bc0cd780bb5c4b3a3d727d7842e8d2e
--
From 953461781bc0cd780bb5c4b3a3d727d7842e8d2e Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 29 Jan 2024 00:34:16 +0300
Subject: [PATCH] Tests: compatibility with "openssl" app from OpenSSL 3.2.0.

OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly
asked not to.  Such certificates, even self-signed ones, cannot be used to sign
other certificates without CA:TRUE explicitly set in the basicConstraints
extension.  As a result, tests doing so are now failing.

Fix is to provide basicConstraints with CA:TRUE for self-signed root
certificates used in "openssl ca" calls.
---
 ssl.t                   | 3 +++
 ssl_certificate_chain.t | 3 +++
 ssl_crl.t               | 3 +++
 ssl_ocsp.t              | 3 +++
 ssl_stapling.t          | 3 +++
 ssl_verify_depth.t      | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/ssl.t b/ssl.t
index 13d3daef..6055e083 100644
--- a/ssl.t
+++ b/ssl.t
@@ -116,7 +116,10 @@ $t->write_file('openssl.conf', <<EOF);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 my $d = $t->testdir();
diff --git a/ssl_certificate_chain.t b/ssl_certificate_chain.t
index 0fce9378..764933f1 100644
--- a/ssl_certificate_chain.t
+++ b/ssl_certificate_chain.t
@@ -71,7 +71,10 @@ $t->write_file('openssl.conf', <<EOF);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
diff --git a/ssl_crl.t b/ssl_crl.t
index 8dad2d70..caaeec58 100644
--- a/ssl_crl.t
+++ b/ssl_crl.t
@@ -79,7 +79,10 @@ $t->write_file('openssl.conf', <<EOF);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
diff --git a/ssl_ocsp.t b/ssl_ocsp.t
index 3bc9af40..db88fbec 100644
--- a/ssl_ocsp.t
+++ b/ssl_ocsp.t
@@ -116,7 +116,10 @@ $t->write_file('openssl.conf', <<EOF);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
diff --git a/ssl_stapling.t b/ssl_stapling.t
index 575c167c..bcb36309 100644
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -125,7 +125,10 @@ $t->write_file('openssl.conf', <<EOF);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);
diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t
index 7f2f37b2..89c6668e 100644
--- a/ssl_verify_depth.t
+++ b/ssl_verify_depth.t
@@ -76,7 +76,10 @@ $t->write_file('openssl.conf', <<EOF);
 default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
 [ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 $t->write_file('ca.conf', <<EOF);