From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 30 Dec 2024 14:55:33 +0000 (+0100)
Subject: dnsdist: Fix regression tests with Python 3.13
X-Git-Tag: dnsdist-2.0.0-alpha1~189^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F15003%2Fhead;p=thirdparty%2Fpdns.git

dnsdist: Fix regression tests with Python 3.13

The CA certificates that we are generating as par of our regression tests
were lacking the X.509 `Key Usage` extension, causing TLS validation with
Python 3.13 to fail with:

> certificate verify failed: CA cert does not include key usage extension

It appears that Python 3.13 enables `VERIFY_X509_STRICT` by default, which makes OpenSSL stricter, and thus it chokes on our invalid CA.
---

diff --git a/regression-tests.dnsdist/configCA.conf b/regression-tests.dnsdist/configCA.conf
index ddb427ce01..cd71e1e3b9 100644
--- a/regression-tests.dnsdist/configCA.conf
+++ b/regression-tests.dnsdist/configCA.conf
@@ -1,7 +1,6 @@
 [req]
 default_bits = 2048
 encrypt_key = no
-x509_extensions = custom_extensions
 prompt = no
 distinguished_name = distinguished_name
 
@@ -9,15 +8,12 @@ distinguished_name = distinguished_name
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
 
 [distinguished_name]
 CN = DNSDist TLS regression tests CA
 OU = PowerDNS.com BV
 countryName = NL
 
-[custom_extensions]
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-
 [CA_default]
 copy_extensions = copy