webrick/ssl: More keyUsage for self-signed certs

Chrome 75+ started to strictly enforce X.509 keyUsage against TLS server certificates. Webrick supports generating instant self-signed certificates for debugging purpose and these certificates lacks required keyUsage for modern TLS. So adding the following keyUsages: - digitalSignature (for server authentication) - keyAgreement (for DH key exchange) - dataEncipherment (for data encryption) References: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://crbug.com/795089 - https://boringssl-review.googlesource.com/c/34604
2022-11-09 12:17:21 -05:00 · 2020-04-03 00:49:12 +09:00 · 2020-04-03 00:49:12 +09:00 · 0f57d66f9e
commit 0f57d66f9e
parent 9ddf147237
1 changed files with 1 additions and 1 deletions
--- a/lib/webrick/ssl.rb
+++ b/lib/webrick/ssl.rb
@ -122,7 +122,7 @@ module WEBrick
      ef.issuer_certificate = cert
      cert.extensions = [
        ef.create_extension("basicConstraints","CA:FALSE"),
-        ef.create_extension("keyUsage", "keyEncipherment"),
+        ef.create_extension("keyUsage", "keyEncipherment, digitalSignature, keyAgreement, dataEncipherment"),
        ef.create_extension("subjectKeyIdentifier", "hash"),
        ef.create_extension("extendedKeyUsage", "serverAuth"),
        ef.create_extension("nsComment", comment),