MDEV-33592: Use X509v3 for compatibility with libraries

According to rfc5280, x509v3 was standardised in June 1996. RusTLS only accepts v3 certificates rejected the v1 default. (ref: https://github.com/rustls/webpki/issues/29#issuecomment-1453783741) It seems reasonable that all client libraries can accept v3. X509_VERSION_3 has a fixed value of 2, but isn't defined in OpenSSL-1.1.1. Thanks Austin Bonander for the suggested patch.

MDEV-33592: Use X509v3 for compatibility with libraries
According to rfc5280, x509v3 was standardised in June 1996. RusTLS only accepts v3 certificates rejected the v1 default. (ref: https://github.com/rustls/webpki/issues/29#issuecomment-1453783741) It seems reasonable that all client libraries can accept v3. X509_VERSION_3 has a fixed value of 2, but isn't defined in OpenSSL-1.1.1. Thanks Austin Bonander for the suggested patch.
24dd78e5 · Daniel Black · 435a10e4 · 24dd78e5
Commit 24dd78e5 authored Mar 05, 2024 by Daniel Black
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

vio/viosslfactories.c vio/viosslfactories.c +7 -0

No files found.
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -20,10 +20,15 @@
 #ifdef HAVE_OPENSSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
+#include <openssl/x509.h>

 static my_bool     ssl_algorithms_added    = FALSE;
 static my_bool     ssl_error_strings_loaded= FALSE;

+#ifndef X509_VERSION_3
+#define X509_VERSION_3 2
+#endif
+
 /* the function below was generated with "openssl dhparam -2 -C 2048" */
 #ifndef HAVE_WOLFSSL
 static
@@ -125,6 +130,8 @@ static X509 *vio_gencert(EVP_PKEY *pkey)
  if (!(x= X509_new()))
    goto err;

+  if (!X509_set_version(x, X509_VERSION_3))
+    goto err;
  if (!(name= X509_get_subject_name(x)))
    goto err;
  if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,