MDEV-33592: Use X509v3 for compatibility with libraries

According to rfc5280, x509v3 was standardised in June 1996. RusTLS only accepts v3 certificates rejected the v1 default. (ref: rustls/webpki#29 (comment)) It seems reasonable that all client libraries can accept v3. X509_VERSION_3 has a fixed value of 2, but isn't defined in OpenSSL-1.1.1. Thanks Austin Bonander for the suggested patch.
MariaDB · Apr 15, 2024 · 24dd78e · 24dd78e
1 parent 435a10e
commit 24dd78e
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
@@ -20,10 +20,15 @@
 #ifdef HAVE_OPENSSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
+#include <openssl/x509.h>
 
 static my_bool     ssl_algorithms_added    = FALSE;
 static my_bool     ssl_error_strings_loaded= FALSE;
 
+#ifndef X509_VERSION_3
+#define X509_VERSION_3 2
+#endif
+
 /* the function below was generated with "openssl dhparam -2 -C 2048" */
 #ifndef HAVE_WOLFSSL
 static
@@ -125,6 +130,8 @@ static X509 *vio_gencert(EVP_PKEY *pkey)
   if (!(x= X509_new()))
     goto err;
 
+  if (!X509_set_version(x, X509_VERSION_3))
+    goto err;
   if (!(name= X509_get_subject_name(x)))
     goto err;
   if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,