webrick/ssl: More keyUsage for self-signed certs

Chrome 75+ started to strictly enforce X.509 keyUsage against TLS server certificates. Webrick supports generating instant self-signed certificates for debugging purpose and these certificates lacks required keyUsage for modern TLS. So adding the following keyUsages: - digitalSignature (for server authentication) - keyAgreement (for DH key exchange) - dataEncipherment (for data encryption) References: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://crbug.com/795089 - https://boringssl-review.googlesource.com/c/34604
author: Sorah Fukumori <her@sorah.jp> 2020-04-03 00:49:12 +0900
committer: Sorah Fukumori <her@sorah.jp> 2020-04-03 00:49:12 +0900
commit: 0f57d66f9e1e7bf4419d9d3a70132bbc4006f9fe (patch)
tree: de84dfbdb59fc678a1350f7cdad058dcb87ea54d /lib/webrick
parent: 9ddf1472375a590d1b1c3856f90fedf151fe30a3 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/webrick/ssl.rb b/lib/webrick/ssl.rb
index d125083528..ab1837fda6 100644
--- a/lib/webrick/ssl.rb
+++ b/lib/webrick/ssl.rb
@@ -122,7 +122,7 @@ module WEBrick
       ef.issuer_certificate = cert
       cert.extensions = [
         ef.create_extension("basicConstraints","CA:FALSE"),
-        ef.create_extension("keyUsage", "keyEncipherment"),
+        ef.create_extension("keyUsage", "keyEncipherment, digitalSignature, keyAgreement, dataEncipherment"),
         ef.create_extension("subjectKeyIdentifier", "hash"),
         ef.create_extension("extendedKeyUsage", "serverAuth"),
         ef.create_extension("nsComment", comment),
author	Sorah Fukumori <her@sorah.jp>	2020-04-03 00:49:12 +0900
committer	Sorah Fukumori <her@sorah.jp>	2020-04-03 00:49:12 +0900
commit	0f57d66f9e1e7bf4419d9d3a70132bbc4006f9fe (patch)
tree	de84dfbdb59fc678a1350f7cdad058dcb87ea54d /lib/webrick
parent	9ddf1472375a590d1b1c3856f90fedf151fe30a3 (diff)