From e770c8a2d5ae827e6c0e0f511134ba21e1c121e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Fri, 23 Apr 2021 08:46:39 +0200
Subject: [PATCH 1/2] Closes #3412: Self generated certificates now exhibit the
 same 'X509v3 Basic Constraints' as MySQL self generated ones

---
 src/main.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main.cpp b/src/main.cpp
index efe8cc5f5..3df0e90b7 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -368,9 +368,11 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, cn, -1, -1, 0);
 
 	if (ca_x509) {
+		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:FALSE");
+		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, X509_get_subject_name(ca_x509));
 	} else {
-		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:FALSE");
+		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:TRUE");
 		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, name);
 	}

From b016684a94cb085d98579f537d331d308f67550f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Fri, 23 Apr 2021 10:49:01 +0200
Subject: [PATCH 2/2] Improved error handling and OpenSSL API usage when adding
 certificate extensions

---
 src/main.cpp | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/main.cpp b/src/main.cpp
index 3df0e90b7..39dfaa241 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -350,6 +350,8 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	int rc;
 	X509 * x = NULL;
 	X509_NAME * name= NULL;
+	X509_EXTENSION* ext = NULL;
+	X509V3_CTX v3_ctx;
 	if ((x = X509_new()) == NULL) {
 		proxy_error("Unable to run X509_new()\n");
 		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
@@ -368,12 +370,8 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 	X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, cn, -1, -1, 0);
 
 	if (ca_x509) {
-		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:FALSE");
-		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, X509_get_subject_name(ca_x509));
 	} else {
-		X509_EXTENSION* extension = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, "critical, CA:TRUE");
-		X509_add_ext(x, extension, -1);
 		rc = X509_set_issuer_name(x, name);
 	}
 	if (rc==0) {
@@ -381,6 +379,19 @@ X509 * generate_x509(EVP_PKEY *pkey, const unsigned char *cn, uint32_t serial, i
 		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
 	}
 
+	// set the context
+	X509V3_set_ctx(&v3_ctx, ca_x509 ? ca_x509 : x, x, NULL, NULL, 0);
+
+	ext = X509V3_EXT_conf_nid(
+		NULL, &v3_ctx, NID_basic_constraints, ca_x509 ? "critical, CA:FALSE" : "critical, CA:TRUE");
+	if (ext) {
+		X509_add_ext(x, ext, -1);
+		X509_EXTENSION_free(ext);
+	} else {
+		proxy_error("Unable to set certificate extensions: %s\n", ERR_error_string(ERR_get_error(),NULL));
+		exit(EXIT_SUCCESS); // we exit gracefully to avoid being restarted
+	}
+
 	if (ca_pkey) {
 		rc = X509_sign(x, ca_pkey, EVP_sha256());
 	} else {