On 2024-03-06 15:27:50 [+0100], Guilhem Moulin wrote: > Hi Sebastian, Hi,
> Great to hear OpenSSL 3.2 will soon be entering sid! :-) > > On Wed, 06 Mar 2024 at 07:59:53 +0100, Sebastian Andrzej Siewior wrote: > > I'm currently puzzled where to look at. Could you please have a look? > > It seems openssl-req(1ssl) now generates X.509 version 3 certificates by > default. (A new flag `-509v1` was added to revert back to version 1.) > > interimap's test suite generates a transient CAs, but didn't pass any > X.509 v3 basic constraints as it assumed v1. The resulting “CA” was > therefore generated without CA:TRUE thereby failing peer validation. > > The fix is trivial, I'll simply change the test suite to generate a v3 > CA instead and pass CA:TRUE. But I thought it might be useful to spell > the fix out in case there are other affected packages. Thank for the explanation. > Cheers, Sebastian