Discussion:
[PATCH] MINOR: generate-certificates for BoringSSL
Emmanuel Hocdet
2018-10-03 10:52:32 UTC
Permalink
Hi,

For generate-certificates, X509V3_EXT_conf is used but it's an (very) old API
call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok
because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5
years after X509V3_EXT_nconf.
(BoringSSL only have X509V3_EXT_nconf)

Christopher, if you have time to check this little patch :)

++
Manu
Christopher Faulet
2018-10-08 08:06:31 UTC
Permalink
Post by Emmanuel Hocdet
Hi,
For generate-certificates, X509V3_EXT_conf is used but it's an (very) old API
call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok
because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5
years after X509V3_EXT_nconf.
(BoringSSL only have X509V3_EXT_nconf)
Christopher, if you have time to check this little patch :)
Hi Manu,

Sorry for the lag. So, I tested your patches, and it works for me. I
have only tested it with openssl 1.1.0. But it seems to be safe enough.
--
Christopher
Christopher Faulet
2018-10-08 08:11:05 UTC
Permalink
Post by Emmanuel Hocdet
Hi,
For generate-certificates, X509V3_EXT_conf is used but it's an (very) old API
call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok
because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5
years after X509V3_EXT_nconf.
(BoringSSL only have X509V3_EXT_nconf)
Christopher, if you have time to check this little patch :)
Applied, thank you Manu!
--
Christopher
Loading...