Merge pull request #2627 from JavierJF/v2.0.11-2622

Add X509V3 basic constraints required for CA certificate #2622

src/main.cpp

@@ -30,6 +30,8 @@
 
 #include "curl/curl.h"
 
+#include <openssl/x509v3.h>
+
 #include <sys/mman.h>
 
 /*
@@ -332,7 +334,7 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 		proxy_error("Unable to run X509_new()\n");
 		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
 	}
-	X509_set_version(x, 3);
+	X509_set_version(x, 2);
 	ASN1_INTEGER_set(X509_get_serialNumber(x), serial);
 	X509_gmtime_adj(X509_get_notBefore(x), 0);
 	X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days);
@@ -348,6 +350,8 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	if (ca_x509) {
 		rc = X509_set_issuer_name(x, X509_get_subject_name(ca_x509));
 	} else {
+		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:FALSE");
+		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, name);
 	}
 	if (rc==0) {
@@ -356,9 +360,9 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	}
 
 	if (ca_pkey) {
-		rc = X509_sign(x, ca_pkey, EVP_sha1());
+		rc = X509_sign(x, ca_pkey, EVP_sha256());
 	} else {
-		rc = X509_sign(x, pkey, EVP_sha1());
+		rc = X509_sign(x, pkey, EVP_sha256());
 	}
 	if (rc==0) {
 		proxy_error("Unable to X509 sign: %s\n", ERR_error_string(ERR_get_error(),NULL));