From a9d3d686a6f4638278a9788dd9ab78f5829309ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Tue, 31 Mar 2020 12:01:41 +0200
Subject: [PATCH 1/4] Added X509V3 basic constraints required for CA
 certificate

---
 src/main.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main.cpp b/src/main.cpp
index 3d98a443b..d56dec9e4 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -30,6 +30,8 @@
 
 #include "curl/curl.h"
 
+#include <openssl/x509v3.h>
+
 #include <sys/mman.h>
 
 /*
@@ -348,6 +350,8 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	if (ca_x509) {
 		rc = X509_set_issuer_name(x, X509_get_subject_name(ca_x509));
 	} else {
+		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:TRUE");
+		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, name);
 	}
 	if (rc==0) {

From 76554fa4aef83418037e5487b08d8d011c631be3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Tue, 31 Mar 2020 20:12:38 +0200
Subject: [PATCH 2/4] Changed version to 'version 3' which is matched by number
 2

---
 src/main.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.cpp b/src/main.cpp
index d56dec9e4..ed8706a11 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -334,7 +334,7 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 		proxy_error("Unable to run X509_new()\n");
 		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
 	}
-	X509_set_version(x, 3);
+	X509_set_version(x, 2);
 	ASN1_INTEGER_set(X509_get_serialNumber(x), serial);
 	X509_gmtime_adj(X509_get_notBefore(x), 0);
 	X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days);

From 5cd93248ee3879e6b010f449c05fd6690e557b2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Tue, 31 Mar 2020 20:14:30 +0200
Subject: [PATCH 3/4] Modified 'Basic Constraints: CA' to FALSE as the cert
 generated by mysql itself specifies

---
 src/main.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.cpp b/src/main.cpp
index ed8706a11..e34be5fec 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -350,7 +350,7 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	if (ca_x509) {
 		rc = X509_set_issuer_name(x, X509_get_subject_name(ca_x509));
 	} else {
-		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:TRUE");
+		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:FALSE");
 		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, name);
 	}

From cc393510d90501f80c30a2f72fc156f3c9a430d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Tue, 31 Mar 2020 20:16:23 +0200
Subject: [PATCH 4/4] Changed the 'Signature Algorithm' to
 'sha256WithRSAEncryption' to match mysql and ensure browser support

---
 src/main.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main.cpp b/src/main.cpp
index e34be5fec..5d760740e 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -360,9 +360,9 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	}
 
 	if (ca_pkey) {
-		rc = X509_sign(x, ca_pkey, EVP_sha1());
+		rc = X509_sign(x, ca_pkey, EVP_sha256());
 	} else {
-		rc = X509_sign(x, pkey, EVP_sha1());
+		rc = X509_sign(x, pkey, EVP_sha256());
 	}
 	if (rc==0) {
 		proxy_error("Unable to X509 sign: %s\n", ERR_error_string(ERR_get_error(),NULL));