From 0f57d66f9e1e7bf4419d9d3a70132bbc4006f9fe Mon Sep 17 00:00:00 2001
From: Sorah Fukumori <her@sorah.jp>
Date: Fri, 3 Apr 2020 00:49:12 +0900
Subject: [PATCH] webrick/ssl: More keyUsage for self-signed certs

Chrome 75+ started to strictly enforce X.509 keyUsage against TLS server
certificates. Webrick supports generating instant self-signed
certificates for debugging purpose and these certificates lacks required
keyUsage for modern TLS. So adding the following keyUsages:

- digitalSignature (for server authentication)
- keyAgreement (for DH key exchange)
- dataEncipherment (for data encryption)

References:

- https://tools.ietf.org/html/rfc5280#section-4.2.1.3
- https://crbug.com/795089
- https://boringssl-review.googlesource.com/c/34604
---
 lib/webrick/ssl.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/webrick/ssl.rb b/lib/webrick/ssl.rb
index d125083528..ab1837fda6 100644
--- a/lib/webrick/ssl.rb
+++ b/lib/webrick/ssl.rb
@@ -122,7 +122,7 @@ module WEBrick
       ef.issuer_certificate = cert
       cert.extensions = [
         ef.create_extension("basicConstraints","CA:FALSE"),
-        ef.create_extension("keyUsage", "keyEncipherment"),
+        ef.create_extension("keyUsage", "keyEncipherment, digitalSignature, keyAgreement, dataEncipherment"),
         ef.create_extension("subjectKeyIdentifier", "hash"),
         ef.create_extension("extendedKeyUsage", "serverAuth"),
         ef.create_extension("nsComment", comment),