From f4f05f23d55b4d828cba1b834d8a3c97877f734e Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Tue, 13 Sep 2022 14:24:54 +0300
Subject: [PATCH] OpenSSL: follow RFC on basicConstraints too (#6018)

---
 src/etc/ssl/opnsense.cnf | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/etc/ssl/opnsense.cnf b/src/etc/ssl/opnsense.cnf
index f196ab6b2..7c6d9c985 100644
--- a/src/etc/ssl/opnsense.cnf
+++ b/src/etc/ssl/opnsense.cnf
@@ -206,11 +206,9 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+# basicConstraints (rfc5280): Conforming CAs MUST include this extension in all CA certificates that contain public
+# keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.
+basicConstraints = critical, CA:true
 # keyUsage (rfc5280): Conforming CAs MUST include this extension in certificates that contain public keys
 # that are used to validate digital signatures on other public key certificates or CRLs.
 # When present, conforming CAs SHOULD mark this extension as critical.