From 98ef889a9232877ac369b67c11922bab92ab84a9 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 30 Dec 2024 15:55:33 +0100
Subject: [PATCH] dnsdist: Fix regression tests with Python 3.13

The CA certificates that we are generating as par of our regression tests
were lacking the X.509 `Key Usage` extension, causing TLS validation with
Python 3.13 to fail with:

> certificate verify failed: CA cert does not include key usage extension

It appears that Python 3.13 enables `VERIFY_X509_STRICT` by default, which makes OpenSSL stricter, and thus it chokes on our invalid CA.
---
 regression-tests.dnsdist/configCA.conf | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/regression-tests.dnsdist/configCA.conf b/regression-tests.dnsdist/configCA.conf
index ddb427ce01..cd71e1e3b9 100644
--- a/regression-tests.dnsdist/configCA.conf
+++ b/regression-tests.dnsdist/configCA.conf
@@ -1,7 +1,6 @@
 [req]
 default_bits = 2048
 encrypt_key = no
-x509_extensions = custom_extensions
 prompt = no
 distinguished_name = distinguished_name
 
@@ -9,15 +8,12 @@ distinguished_name = distinguished_name
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
 
 [distinguished_name]
 CN = DNSDist TLS regression tests CA
 OU = PowerDNS.com BV
 countryName = NL
 
-[custom_extensions]
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-
 [CA_default]
 copy_extensions = copy
-- 
2.47.2