From 2d745eee1b585d4f625f9a1f1088ad8fb1c706d8 Mon Sep 17 00:00:00 2001
From: Daniel Black <daniel@mariadb.org>
Date: Tue, 5 Mar 2024 14:46:28 +1100
Subject: [PATCH] MDEV-33592: Use X509v3 for compatibility with libraries

According to rfc5280, x509v3 was standardised in June 1996.

RusTLS only accepts v3 certificates rejected the v1 default.
(ref:
https://github.com/rustls/webpki/issues/29#issuecomment-1453783741)

It seems reasonable that all client libraries can accept v3.

X509_VERSION_3 has a fixed value of 2, but isn't defined in
OpenSSL-1.1.1.

Thanks Austin Bonander for the suggested patch.
---
 vio/viosslfactories.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 530872c428635..8e76c814a4419 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -20,10 +20,15 @@
 #ifdef HAVE_OPENSSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
+#include <openssl/x509.h>
 
 static my_bool     ssl_algorithms_added    = FALSE;
 static my_bool     ssl_error_strings_loaded= FALSE;
 
+#ifndef X509_VERSION_3
+#define X509_VERSION_3 2
+#endif
+
 /* the function below was generated with "openssl dhparam -2 -C 2048" */
 #ifndef HAVE_WOLFSSL
 static
@@ -125,6 +130,8 @@ static X509 *vio_gencert(EVP_PKEY *pkey)
   if (!(x= X509_new()))
     goto err;
 
+  if (!X509_set_version(x, X509_VERSION_3))
+    goto err;
   if (!(name= X509_get_subject_name(x)))
     goto err;
   if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,