From 9f048da56fd060bfbd793361d9da4c02fc563660 Mon Sep 17 00:00:00 2001 From: "7u83@mail.ru" <7u83@mail.ru@noemail.net> Date: Thu, 12 Mar 2015 22:21:57 +0000 Subject: [PATCH] some improvements to support Cisco. FossilOrigin-Name: 9f0d9e58d55f90bd2020ef622b2501bccbb6038972c04550cb06248139b080c5 --- src/ac/wtpman.c | 4 +- src/capwap/Makefile | 1 + src/capwap/capwap.h | 9 ++++ src/capwap/cw_msgelemtostr.c | 6 ++- src/capwap/cw_readelem_capwap_local_ip_addr.c | 46 +++++++++++++++++++ src/capwap/cwmsg_addelem_wtp_board_data.c | 10 ++-- src/capwap/cwmsg_addelem_wtp_descriptor.c | 46 ++++++++++++------- src/capwap/cwsend_join_request.c | 7 ++- src/capwap/dtls_gnutls_connect.c | 12 ++++- src/capwap/dtls_openssl_bio.c | 2 +- src/capwap/process_join_request.c | 2 +- src/capwap/wtpinfo.h | 4 ++ src/wtp/conf_uci.c | 13 ++++++ src/wtp/join.c | 5 +- src/wtp/wtp_conf.c | 10 ++-- src/wtp/wtp_conf.h | 2 +- src/wtp/wtp_interface.c | 5 +- src/wtp/wtp_uci.default.conf | 6 ++- ssl/mkcert.sh | 26 +++++++---- ssl/openssl-crt.cnf | 3 +- ssl/openssl-int.cnf | 1 + 21 files changed, 172 insertions(+), 48 deletions(-) create mode 100644 src/capwap/cw_readelem_capwap_local_ip_addr.c diff --git a/src/ac/wtpman.c b/src/ac/wtpman.c index bc94c5dc..3273018d 100644 --- a/src/ac/wtpman.c +++ b/src/ac/wtpman.c @@ -505,9 +505,6 @@ static int wtpman_establish_dtls(void *arg) fwrite(cert.data,1,cert.size,f); - exit(0); - -// dtls_get_peers_cert(cert_len,&cert_len); return 1; } @@ -601,6 +598,7 @@ static void wtpman_run(void *arg) return; } +exit(0); switch (cwrmsg->type){ case CWMSG_CHANGE_STATE_EVENT_REQUEST: diff --git a/src/capwap/Makefile b/src/capwap/Makefile index b66389e8..e64b5504 100644 --- a/src/capwap/Makefile +++ b/src/capwap/Makefile @@ -126,6 +126,7 @@ CAPWAPOBJS= \ cw_readelem_statistics_timer.o \ cw_readelem_mtu_discovery_padding.o \ cw_readelem_vendor_specific_payload.o \ + cw_readelem_capwap_local_ip_addr.o \ cw_readelem_wtp_reboot_statistics.o\ cwmsg_addelem_vendor_cisco_ap_timesync.o \ lw_checksum.o diff --git a/src/capwap/capwap.h b/src/capwap/capwap.h index 06f32daa..fbd828ab 100644 --- a/src/capwap/capwap.h +++ b/src/capwap/capwap.h @@ -38,6 +38,7 @@ enum capwapmodes { CWMODE_STD = 0, CWMODE_CISCO, + CWMODE_CIPWAP, CWMODE_ZYXEL }; @@ -234,9 +235,17 @@ struct capwap_ctrlhdr WTP Radio Statistics 47 */ #define CWMSGELEM_WTP_REBOOT_STATISTICS 48 + +#define CWMSGELEM_WTP_STATIC_IP_ADDRESS_INFO 49 + /* WTP Static IP Address Information 49 */ +/* Cisco's CAPWAP definitions (CAPWAP draft 7)*/ +#define CWMSGELEM_WTP_IPV4_IP_ADDR 42 +#define CWMSGELEM_WTP_IPV6_IP_ADDR 43 + + /* pseudo message elements, defined for libcapwap */ diff --git a/src/capwap/cw_msgelemtostr.c b/src/capwap/cw_msgelemtostr.c index ae7bc86e..feb4d880 100644 --- a/src/capwap/cw_msgelemtostr.c +++ b/src/capwap/cw_msgelemtostr.c @@ -119,8 +119,12 @@ const char * cw_msgelemtostr(int elem) case CWMSGELEM_WTP_FRAME_TUNNEL_MODE: return "frame tunnel mode"; - case CWMSGELEM_RESERVED_1: +/* case CWMSGELEM_RESERVED_1: return "reserved (42)"; +*/ + case CWMSGELEM_WTP_IPV4_IP_ADDR: + return "WTP IPv4 IP address"; + /* Reserved 43 */ diff --git a/src/capwap/cw_readelem_capwap_local_ip_addr.c b/src/capwap/cw_readelem_capwap_local_ip_addr.c new file mode 100644 index 00000000..6f7cf302 --- /dev/null +++ b/src/capwap/cw_readelem_capwap_local_ip_addr.c @@ -0,0 +1,46 @@ +#include + +#include "capwap.h" + +int cw_readelem_capwap_local_ip_addr(struct sockaddr * local_ip, int type, uint8_t * msgelem, int len) +{ + switch (type){ + case CWMSGELEM_CAPWAP_LOCAL_IPV4_ADDRESS: + case CWMSGELEM_WTP_IPV4_IP_ADDR: + { + if (len!=4) + return -1; + struct sockaddr_in * sain = (struct sockaddr_in*)local_ip; + memset(sain,0,sizeof(struct sockaddr_in)); + #ifdef HAVE_SIN_LEN + sain->sa_len=sizeof(struct sockaddr_in); + #endif + memcpy(&sain->sin_addr,msgelem,len); + sain->sin_family=AF_INET; + return 1; + } +#ifdef WITH_IPV6 + case CWMSGELEM_CAPWAP_LOCAL_IPV6_ADDRESS: + case CWMSGELEM_WTP_IPV6_IP_ADDR: + { + if (len!=16) + return -1; + + struct sockaddr_in6 * sain = (struct sockaddr_in6*)local_ip; + memset(sain,0,sizeof(struct sockaddr_in6)); + #ifdef HAVE_SIN6_LEN + sain->sa_len=sizeof(struct sockaddr_in); + #endif + memcpy(&sain->sin6_addr,msgelem,len); + sain->sin6_family=AF_INET6; + + + return 1; + } + +#endif + } + return 0; +} + + diff --git a/src/capwap/cwmsg_addelem_wtp_board_data.c b/src/capwap/cwmsg_addelem_wtp_board_data.c index 53d227f4..e95e7910 100644 --- a/src/capwap/cwmsg_addelem_wtp_board_data.c +++ b/src/capwap/cwmsg_addelem_wtp_board_data.c @@ -8,12 +8,15 @@ void cwmsg_addelem_wtp_board_data(struct cwmsg *cwmsg, struct wtpinfo *wtpinfo) { - uint8_t msg[1030]; + uint8_t msg[512]; + + /* vendor identifier */ *((uint32_t *) msg) = htonl(wtpinfo->vendor_id); int l; int len = 4; + /* mandatory sub-elements */ if (wtpinfo->model_no) { l = bstr_len(wtpinfo->model_no); *((uint32_t *) (msg + len)) = htonl(CWBOARDDATA_MODELNO << 16 | l); @@ -22,12 +25,13 @@ void cwmsg_addelem_wtp_board_data(struct cwmsg *cwmsg, struct wtpinfo *wtpinfo) } if (wtpinfo->serial_no) { - l = strlen((char *) wtpinfo->serial_no); + l = bstr_len( wtpinfo->serial_no); *((uint32_t *) (msg + len)) = htonl(CWBOARDDATA_SERIALNO << 16 | l); - memcpy(msg + len + 4, wtpinfo->serial_no, l); + memcpy(msg + len + 4, bstr_data(wtpinfo->serial_no), l); len += l + 4; } + /* other sub-elements */ if (wtpinfo->macaddress) { *((uint32_t *) (msg + len)) = htonl(CWBOARDDATA_MACADDRESS << 16 | wtpinfo->macaddress_len); diff --git a/src/capwap/cwmsg_addelem_wtp_descriptor.c b/src/capwap/cwmsg_addelem_wtp_descriptor.c index 89ef2b76..030c052f 100644 --- a/src/capwap/cwmsg_addelem_wtp_descriptor.c +++ b/src/capwap/cwmsg_addelem_wtp_descriptor.c @@ -2,22 +2,27 @@ #include #include "capwap.h" +#include "bstr.h" -static inline int wtpdesc_addsubelem(uint8_t * dst,uint8_t type,uint32_t vendorid,uint8_t * str,int len) +static inline int wtpdesc_addsubelem(uint8_t * dst,uint8_t type,uint32_t vendorid,uint8_t * str) { // printf("add subelem\n"); int l; *((uint32_t*)(dst))=htonl(vendorid); // printf("htonl done\n"); - if (len==-1) - l=strlen((char*)str); - else - l=len; +// if (len==-1) +// l=strlen((char*)str); +// else +// l=len;S + + l = bstr_len(str); + + // printf("strlne got %d\n",l); *((uint32_t*)(dst+4))=htonl((type<<16)|l); // printf("memcopy str %d\n",l); - memcpy(dst+8,str,l); + memcpy(dst+8,bstr_data(str),l); return l+8; } @@ -31,11 +36,20 @@ void cwmsg_addelem_wtp_descriptor(struct cwmsg * cwmsg, struct wtpinfo * wtpinfo *(d+1)=wtpinfo->radios_in_use; len=2; + switch (wtpinfo->capwap_mode){ + case CWMODE_CISCO: + *((uint16_t*)(d+len))=0; + len+=2; + break; + default: + break; + } + /* number of encryption elemnts */ // *(d+len)=1; // len+=1; - *(d+len)=0; - len+=1; +// *(d+len)=0; +// len+=1; /* encryption elements */ @@ -52,20 +66,20 @@ void cwmsg_addelem_wtp_descriptor(struct cwmsg * cwmsg, struct wtpinfo * wtpinfo */ /* software subelem*/ len+=wtpdesc_addsubelem(d+len,CWMSGSUBELEM_WTP_DESCRIPTOR_SOFTWARE_VERSION, - wtpinfo->software_vendor_id,wtpinfo->software_version,-1); + wtpinfo->software_vendor_id,wtpinfo->software_version); /* hardware subelem*/ -// len+=wtpdesc_addsubelem(d+len,CWMSGSUBELEM_WTP_DESCRIPTOR_HARDWARE_VERSION, -// wtpinfo->hardware_vendor_id,wtpinfo->hardware_version,2); - -/* len+=wtpdesc_addsubelem(d+len,CWMSGSUBELEM_WTP_DESCRIPTOR_HARDWARE_VERSION, + len+=wtpdesc_addsubelem(d+len,CWMSGSUBELEM_WTP_DESCRIPTOR_HARDWARE_VERSION, + wtpinfo->hardware_vendor_id,wtpinfo->hardware_version); +/* + len+=wtpdesc_addsubelem(d+len,CWMSGSUBELEM_WTP_DESCRIPTOR_HARDWARE_VERSION, wtpinfo->hardware_vendor_id,hww,2); */ /* bootloader subelem*/ -/* len+=wtpdesc_addsubelem(d+len,CWMSGSUBELEM_WTP_DESCRIPTOR_BOOTLOADER_VERSION, - wtpinfo->bootloader_vendor_id,wtpinfo->bootloader_version,-1); + len+=wtpdesc_addsubelem(d+len,CWMSGSUBELEM_WTP_DESCRIPTOR_BOOTLOADER_VERSION, + wtpinfo->bootloader_vendor_id,wtpinfo->bootloader_version); + -*/ cwmsg_addelem(cwmsg,CWMSGELEM_WTP_DESCRIPTOR,d,len); } diff --git a/src/capwap/cwsend_join_request.c b/src/capwap/cwsend_join_request.c index 0ab8beb4..149bb591 100644 --- a/src/capwap/cwsend_join_request.c +++ b/src/capwap/cwsend_join_request.c @@ -42,8 +42,11 @@ int cwsend_join_request(struct conn * conn,struct radioinfo * radioinfo,struct w cwmsg_addelem(&cwmsg,CWMSGELEM_WTP_MAC_TYPE,&wtpinfo->mac_type,sizeof(uint8_t)); cwmsg_addelem_wtp_radio_infos(&cwmsg,wtpinfo->radioinfo); - cwmsg_addelem(&cwmsg,CWMSGELEM_ECN_SUPPORT,&wtpinfo->ecn_support,sizeof(uint8_t)); - cwmsg_addelem_cw_local_ip_addr(&cwmsg,conn); + if (wtpinfo->capwap_mode != CWMODE_CISCO){ + cwmsg_addelem(&cwmsg,CWMSGELEM_ECN_SUPPORT,&wtpinfo->ecn_support,sizeof(uint8_t)); + cwmsg_addelem_cw_local_ip_addr(&cwmsg,conn); + } + uint16_t l = htons(wtpinfo->max_msg_len); cwmsg_addelem(&cwmsg,CWMSGELEM_MAXIMUM_MESSAGE_LENGTH,(uint8_t*)&l,sizeof(l)); diff --git a/src/capwap/dtls_gnutls_connect.c b/src/capwap/dtls_gnutls_connect.c index 38223518..bc36e3ce 100644 --- a/src/capwap/dtls_gnutls_connect.c +++ b/src/capwap/dtls_gnutls_connect.c @@ -8,9 +8,11 @@ int dtls_gnutls_connect(struct conn *conn) { struct dtls_gnutls_data * d; - d = dtls_gnutls_data_create(conn,GNUTLS_CLIENT | GNUTLS_DATAGRAM); + d = dtls_gnutls_data_create(conn,GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK); +// gnutls_dh_set_prime_bits(d->session, 512); gnutls_handshake_set_timeout(d->session,GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + int rc; do { rc = gnutls_handshake(d->session); @@ -21,6 +23,14 @@ int dtls_gnutls_connect(struct conn *conn) cw_log(LOG_ERR,"Can't connect: %s",gnutls_strerror(rc)); return 0; } + + + cw_dbg(DBG_DTLS,"DTLS - Handshake successful"); + + conn->dtls_data=d; + conn->read = dtls_gnutls_read; + conn->write = dtls_gnutls_write; + return 1; } diff --git a/src/capwap/dtls_openssl_bio.c b/src/capwap/dtls_openssl_bio.c index b4c7865a..0aed1dea 100644 --- a/src/capwap/dtls_openssl_bio.c +++ b/src/capwap/dtls_openssl_bio.c @@ -121,7 +121,7 @@ long dtls_openssl_bio_ctrl(BIO * b, int cmd, long num, void *ptr) case BIO_CTRL_DGRAM_QUERY_MTU: { - ret = 1400; + ret = 1300; break; /* sockopt_len = sizeof(sockopt_val); diff --git a/src/capwap/process_join_request.c b/src/capwap/process_join_request.c index a5961ef2..3b2fa699 100644 --- a/src/capwap/process_join_request.c +++ b/src/capwap/process_join_request.c @@ -70,7 +70,7 @@ static int process_elem(void *eparm,int type,uint8_t* msgelem,int len) if (wtpinfo_readelem_ecn_support(wtpinfo,type,msgelem,len)) goto foundX; - if (wtpinfo_readelem_cw_local_ip_addr(wtpinfo,type,msgelem,len)){ + if (cw_readelem_capwap_local_ip_addr(wtpinfo,type,msgelem,len)){ cw_mand_elem_found(e->mand, XCWMSGELEM_CAPWAP_LOCAL_IP_ADDRESS); return 1; } diff --git a/src/capwap/wtpinfo.h b/src/capwap/wtpinfo.h index 92743539..56588154 100644 --- a/src/capwap/wtpinfo.h +++ b/src/capwap/wtpinfo.h @@ -40,6 +40,10 @@ struct wtp_reboot_statistics{ /* structure to hold info about a wtp */ struct wtpinfo{ + + int capwap_mode; + + uint8_t *ac_name; uint8_t *name; uint8_t * location; diff --git a/src/wtp/conf_uci.c b/src/wtp/conf_uci.c index d316b3a8..79701dc2 100644 --- a/src/wtp/conf_uci.c +++ b/src/wtp/conf_uci.c @@ -153,6 +153,12 @@ int read_config(const char * filename){ if (str) conf_sslcertfilename=strdup(str); + + str = uci_lookup_option_string(ctx,section,"ssl_cipher"); + if (str) + conf_dtls_cipher=strdup(str); + + str = uci_lookup_option_string(ctx,section,"vendor_id"); if (str) conf_vendor_id=atoi(str); @@ -163,6 +169,13 @@ int read_config(const char * filename){ bstr_replace(&conf_software_version,s); } + str = uci_lookup_option_string(ctx,section,"serial_no"); + if (str){ + uint8_t * s = bstr_create_from_cfgstr(str); + bstr_replace(&conf_serial_no,s); + } + + str = uci_lookup_option_string(ctx,section,"model_no"); if (str){ uint8_t * s = bstr_create_from_cfgstr(str); diff --git a/src/wtp/join.c b/src/wtp/join.c index e4f6bab8..a092fa5c 100644 --- a/src/wtp/join.c +++ b/src/wtp/join.c @@ -46,6 +46,8 @@ int join_state(struct conn * conn) struct cwrmsg * cwrmsg = conn_get_message(conn); + printf("Received %08p\n",cwrmsg); + // cw_log_debug0("Received message %i",cwrmsg->seqnum); if (cwrmsg->type != CWMSG_JOIN_RESPONSE || cwrmsg->seqnum != conn->seqnum){ @@ -117,15 +119,12 @@ int join(struct sockaddr *sa) sock_addrtostr(sa,str,100); cw_log(LOG_ERR,"Can't establish DTLS connection to %s",str); close(sockfd); -exit(0); return 0; } -exit(0); #endif cw_dbg (DBG_DTLS,"DTLS session established with %s, cipher=%s",sock_addr2str(sa),dtls_get_cipher(conn)); -exit(0); #ifdef WITH_CW_LOG_DEBUG diff --git a/src/wtp/wtp_conf.c b/src/wtp/wtp_conf.c index ef13525d..d87d10d6 100644 --- a/src/wtp/wtp_conf.c +++ b/src/wtp/wtp_conf.c @@ -21,6 +21,8 @@ #include "capwap/sock.h" #include "capwap/cw_log.h" +#include "capwap/bstr.h" + char * conf_primary_if=0; char * conf_wtpname=0; @@ -69,7 +71,7 @@ uint32_t * conf_hardware_vendor_id; uint8_t * conf_hardware_version; uint8_t * conf_model_no; -uint8_t * cont_serial_no; +uint8_t * conf_serial_no; LONGSTRS conf_timer_cfgstrs[] = { @@ -136,9 +138,10 @@ int wtpconf_name() char * default_ac_list[] = { - "192.168.0.255", +// "192.168.0.255", "255.255.255.255", // "224.0.1.140", +// "192.168.0.12" }; int wtpconf_ac_list() @@ -198,7 +201,8 @@ int wtpconf_preinit() conf_vendor_id = CONF_DEFAULT_VENDOR_ID; - conf_software_version = bstr_create(CONF_DEFAULT_SOFTWARE_VERSION); + conf_software_version = bstr_create_from_cfgstr(CONF_DEFAULT_SOFTWARE_VERSION); + conf_serial_no = bstr_create_from_cfgstr(CONF_DEFAULT_SERIAL_NO); } diff --git a/src/wtp/wtp_conf.h b/src/wtp/wtp_conf.h index b95d48c0..9d35e4a4 100644 --- a/src/wtp/wtp_conf.h +++ b/src/wtp/wtp_conf.h @@ -22,7 +22,7 @@ extern uint32_t * conf_hardware_vendor_id; extern uint8_t * conf_hardware_version; extern uint8_t * conf_model_no; -extern uint8_t * cont_serial_no; +extern uint8_t * conf_serial_no; diff --git a/src/wtp/wtp_interface.c b/src/wtp/wtp_interface.c index efe0ef78..2a8e9332 100644 --- a/src/wtp/wtp_interface.c +++ b/src/wtp/wtp_interface.c @@ -13,9 +13,12 @@ struct wtpinfo * get_wtpinfo() { struct wtpinfo * wtpinfo; + + wtpinfo=malloc(sizeof(struct wtpinfo)); memset(wtpinfo,0,sizeof(struct wtpinfo)); + wtpinfo->capwap_mode=CWMODE_CISCO; wtpinfo->name = (uint8_t*)"wtp"; wtpinfo->location = (uint8_t*)"Unknown"; @@ -26,7 +29,7 @@ struct wtpinfo * get_wtpinfo() } */ - wtpinfo->serial_no="123456789"; + wtpinfo->serial_no=conf_serial_no; wtpinfo->vendor_id=conf_vendor_id; wtpinfo->model_no=conf_model_no; diff --git a/src/wtp/wtp_uci.default.conf b/src/wtp/wtp_uci.default.conf index fe958d69..c019cd61 100644 --- a/src/wtp/wtp_uci.default.conf +++ b/src/wtp/wtp_uci.default.conf @@ -18,6 +18,10 @@ config 'wtp' option ssl_cert option ssl_key + # ciphers + # + option ssl_cipher + # vendor id # set the vendor id as integer value # default is gnu @@ -29,7 +33,7 @@ config 'wtp' config 'dbg' - # defbug options + # debug options option dtls 0 option dtls_detail 0 option dtls_bio 0 diff --git a/ssl/mkcert.sh b/ssl/mkcert.sh index 00906ee3..be13ce0f 100755 --- a/ssl/mkcert.sh +++ b/ssl/mkcert.sh @@ -34,7 +34,7 @@ createcert() PREF="$TYPE-" fi $OPENSSL genrsa -out $DIR/$NAME.key $KEYSIZE - $OPENSSL req -sha1 -new -key $DIR/$NAME.key -out $DIR/$NAME.req \ + $OPENSSL req -sha256 -new -key $DIR/$NAME.key -out $DIR/$NAME.req \ -subj "$SUBJ" @@ -74,16 +74,22 @@ fi if [ "$TYPE" = "cisco-ap" ] then PREF="$2-" -# SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-f866f2a342fc/emailAddress=support@cisco.com" -# SUBJ="/C=US/ST=California/L=San Jose/O=airespace Inc/CN=C1130-f866f2a342fc/emailAddress=support@airespace.com" - -# SUBJ="/ST=California/L=San Jose/C=US/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com" - #SUBJ="/ST=California/L=San Jose/C=US/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com" -# SUBJ="/C=US/ST=California/L=San Jose/O=airespace Inc/CN=C1130-f866f2a342fc/emailAddress=support@airespace.com" -# SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1200-c80aa9cd7fa4/emailAddress=support@cisco.com" -# SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com" SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-0019dbe09327/emailAddress=support@cisco.com" - createcert "$SUBJ" + + openssl req -nodes -new -x509 \ + -sha1 \ + -extensions v3_ca \ + -days 3650 \ + -newkey rsa:2048 \ + -keyout certs/${NAME}.key -out certs/${NAME}.crt \ + -config openssl.cnf \ + -x509 \ + -subj "$SUBJ" + + $OPENSSL x509 -in $DIR/$NAME.crt -out $DIR/$NAME.pem + + +# createcert "$SUBJ" fi diff --git a/ssl/openssl-crt.cnf b/ssl/openssl-crt.cnf index 19c3c329..557ea231 100644 --- a/ssl/openssl-crt.cnf +++ b/ssl/openssl-crt.cnf @@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 #md5 # use public key default MD +default_md = sha256 #md5 # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -237,6 +237,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier= hash authorityKeyIdentifier=keyid:always,issuer:always +authorityInfoAccess=caIssuers;URI:http://my.ca/ca.html # This is what PKIX recommends but some broken software chokes on critical # extensions. diff --git a/ssl/openssl-int.cnf b/ssl/openssl-int.cnf index d289ec05..ac05d1a5 100644 --- a/ssl/openssl-int.cnf +++ b/ssl/openssl-int.cnf @@ -237,6 +237,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier= hash authorityKeyIdentifier=keyid:always,issuer:always +authorityInfoAccess=caIssuers;URI:http://my.ca/ca.html # This is what PKIX recommends but some broken software chokes on critical # extensions.