dnsdist: Fix regression tests with Python 3.13

The CA certificates that we are generating as par of our regression tests
were lacking the X.509 `Key Usage` extension, causing TLS validation with
Python 3.13 to fail with:

> certificate verify failed: CA cert does not include key usage extension

It appears that Python 3.13 enables `VERIFY_X509_STRICT` by default, which makes OpenSSL stricter, and thus it chokes on our invalid CA.

diff --git a/regression-tests.dnsdist/configCA.conf b/regression-tests.dnsdist/configCA.conf
index ddb427ce01c301b3e189d836681b0fc08d7e59f1..cd71e1e3b9fa37d575a9ecd0e649c77aa4938351 100644 (file)
--- a/regression-tests.dnsdist/configCA.conf
+++ b/regression-tests.dnsdist/configCA.conf
@@ -1,7 +1,6 @@
 [req]
 default_bits = 2048
 encrypt_key = no
-x509_extensions = custom_extensions
 prompt = no
 distinguished_name = distinguished_name
 
@@ -9,15 +8,12 @@ distinguished_name = distinguished_name
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
 
 [distinguished_name]
 CN = DNSDist TLS regression tests CA
 OU = PowerDNS.com BV
 countryName = NL
 
-[custom_extensions]
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-
 [CA_default]
 copy_extensions = copy