diff --git a/ChangeLog b/ChangeLog
index 19182ef5ff..dab2ca139f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+Wed Nov 23 07:26:44 2005  GOTOU Yuuzou  <gotoyuzo@notwork.org>
+
+	* ext/openssl/extconf.rb: check for X509V3_EXT_nconf_nid.
+
+	* ext/openssl/ossl_x509ext.c (MakeX509ExtFactory): should use
+	  OPENSSL_malloc to allocate X509V3_CTX.
+
+	* ext/openssl/ossl_x509ext.c (ossl_x509extfactory_create_ext): use
+	  X509V3_EXT_nconf_nid to avoid SEGV (and to build extensions which
+	  values are placed in separate section).
+
+	* test/openssl/test_x509ext.rb: new file.
+
 Wed Nov 23 01:22:57 2005  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* file.c (test_identical): test if two files are identical.
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index f2fe9a40f4..42afc9608c 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -84,6 +84,7 @@ have_func("HMAC_CTX_copy")
 have_func("HMAC_CTX_init")
 have_func("PEM_def_callback")
 have_func("X509V3_set_nconf")
+have_func("X509V3_EXT_nconf_nid")
 have_func("X509_CRL_add0_revoked")
 have_func("X509_CRL_set_issuer_name")
 have_func("X509_CRL_set_version")
diff --git a/ext/openssl/ossl_x509ext.c b/ext/openssl/ossl_x509ext.c
index 8ba555d3e0..31ffec48fa 100644
--- a/ext/openssl/ossl_x509ext.c
+++ b/ext/openssl/ossl_x509ext.c
@@ -26,9 +26,12 @@
     OSSL_Check_Kind(obj, cX509Ext); \
     GetX509Ext(obj, ext); \
 } while (0)
-
-#define MakeX509ExtFactory(klass, obj, ctx) \
-    obj = Data_Make_Struct(klass, X509V3_CTX, 0, ossl_x509extfactory_free, ctx)
+#define MakeX509ExtFactory(klass, obj, ctx) do { \
+    if (!(ctx = OPENSSL_malloc(sizeof(X509V3_CTX)))) \
+        ossl_raise(rb_eRuntimeError, "CTX wasn't allocated!"); \
+    X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, 0); \
+    obj = Data_Wrap_Struct(klass, 0, ossl_x509extfactory_free, ctx); \
+} while (0)
 #define GetX509ExtFactory(obj, ctx) do { \
     Data_Get_Struct(obj, X509V3_CTX, ctx); \
     if (!ctx) { \
@@ -214,6 +217,12 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
     X509_EXTENSION *ext;
     VALUE oid, value, critical, valstr, obj;
     int nid;
+#ifdef HAVE_X509V3_EXT_NCONF_NID
+    VALUE rconf;
+    CONF *conf;
+#else
+    static LHASH *empty_lhash;
+#endif
 
     rb_scan_args(argc, argv, "21", &oid, &value, &critical);
     StringValue(oid);
@@ -226,7 +235,14 @@ ossl_x509extfactory_create_ext(int argc, VALUE *argv, VALUE self)
     valstr = rb_str_new2(RTEST(critical) ? "critical," : "");
     rb_str_append(valstr, value);
     GetX509ExtFactory(self, ctx);
-    ext = X509V3_EXT_conf_nid(NULL, ctx, nid, RSTRING(valstr)->ptr);
+#ifdef HAVE_X509V3_EXT_NCONF_NID
+    rconf = rb_iv_get(self, "@config");
+    conf = NIL_P(rconf) ? NULL : GetConfigPtr(rconf);
+    ext = X509V3_EXT_nconf_nid(conf, ctx, nid, RSTRING(valstr)->ptr);
+#else
+    if (!empty_lhash) empty_lhash = lh_new(NULL, NULL);
+    ext = X509V3_EXT_conf_nid(empty_lhash, ctx, nid, RSTRING(valstr)->ptr);
+#endif
     if (!ext){
 	ossl_raise(eX509ExtError, "%s = %s",
 		   RSTRING(oid)->ptr, RSTRING(value)->ptr);
diff --git a/test/openssl/test_x509ext.rb b/test/openssl/test_x509ext.rb
new file mode 100644
index 0000000000..d43bbd6bd3
--- /dev/null
+++ b/test/openssl/test_x509ext.rb
@@ -0,0 +1,74 @@
+begin
+  require "openssl"
+  require File.join(File.dirname(__FILE__), "utils.rb")
+rescue LoadError
+end
+require "test/unit"
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestX509Extension < Test::Unit::TestCase
+  def setup
+    @basic_constraints_value = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::Boolean(true),   # CA
+      OpenSSL::ASN1::Integer(2)       # pathlen
+    ])
+    @basic_constraints = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::ObjectId("basicConstraints"),
+      OpenSSL::ASN1::Boolean(true),
+      OpenSSL::ASN1::OctetString(@basic_constraints_value.to_der),
+    ])
+  end
+
+  def teardown
+  end
+
+  def test_new
+    ext = OpenSSL::X509::Extension.new(@basic_constraints.to_der)
+    assert_equal("basicConstraints", ext.oid)
+    assert_equal(true, ext.critical?)
+    assert_equal("CA:TRUE, pathlen:2", ext.value)
+
+    ext = OpenSSL::X509::Extension.new("2.5.29.19",
+                                       @basic_constraints_value.to_der, true)
+    assert_equal(@basic_constraints.to_der, ext.to_der)
+  end
+
+  def test_create_by_factory
+    ef = OpenSSL::X509::ExtensionFactory.new
+
+    bc = ef.create_extension("basicConstraints", "critical, CA:TRUE, pathlen:2")
+    assert_equal(@basic_constraints.to_der, bc.to_der)
+
+    bc = ef.create_extension("basicConstraints", "CA:TRUE, pathlen:2", true)
+    assert_equal(@basic_constraints.to_der, bc.to_der)
+
+    begin
+      ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
+      [crlDistPts]
+      URI.1 = http://www.example.com/crl
+      URI.2 = ldap://ldap.example.com/cn=ca?certificateRevocationList;binary
+      _end_of_cnf_
+    rescue NotImplementedError
+      return
+    end
+
+    cdp = ef.create_extension("crlDistributionPoints", "@crlDistPts")
+    assert_equal(false, cdp.critical?)
+    assert_equal("crlDistributionPoints", cdp.oid)
+    assert_match(%{URI:http://www\.example\.com/crl}, cdp.value)
+    assert_match(
+      %r{URI:ldap://ldap\.example\.com/cn=ca\?certificateRevocationList;binary},
+      cdp.value)
+
+    cdp = ef.create_extension("crlDistributionPoints", "critical, @crlDistPts")
+    assert_equal(true, cdp.critical?)
+    assert_equal("crlDistributionPoints", cdp.oid)
+    assert_match(%{URI:http://www.example.com/crl}, cdp.value)
+    assert_match(
+      %r{URI:ldap://ldap.example.com/cn=ca\?certificateRevocationList;binary},
+      cdp.value)
+  end
+end
+
+end