From 6eedf8363affeb8644950c72022c00cbdd22b189 Mon Sep 17 00:00:00 2001
From: reyk <>
Date: Sat, 26 Jun 2010 18:42:02 +0000
Subject: Add the extendedKeyUsage flags serverAuth and clientAuth.  Newer
 Windows version require these flags to accept the X.509 certificates from the
 gateway or client;  I just add both flags to make it work in both cases and
 verified it with win7, for example when authenticating against iked.

go ahead beck@
---
 src/lib/libssl/x509v3.cnf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lib/libssl/x509v3.cnf b/src/lib/libssl/x509v3.cnf
index 5835534b96..8c6b775da1 100644
--- a/src/lib/libssl/x509v3.cnf
+++ b/src/lib/libssl/x509v3.cnf
@@ -1,6 +1,7 @@
 # default settings
 CERTPATHLEN		= 1
 CERTUSAGE		= digitalSignature,keyCertSign,cRLSign
+EXTCERTUSAGE		= serverAuth,clientAuth
 CERTIP			= 0.0.0.0
 CERTFQDN		= nohost.nodomain
 
@@ -18,9 +19,11 @@ keyUsage=$ENV::CERTUSAGE
 # The address must be provided in the CERTIP environment variable
 [x509v3_IPAddr]
 subjectAltName=IP:$ENV::CERTIP
+extendedKeyUsage=$ENV::EXTCERTUSAGE
 
 # This section should be referenced to add a FQDN hostname
 # as an alternate subject name, needed by isakmpd
 # The address must be provided in the CERTFQDN environment variable
 [x509v3_FQDN]
 subjectAltName=DNS:$ENV::CERTFQDN
+extendedKeyUsage=$ENV::EXTCERTUSAGE
-- 
cgit v1.2.3-55-g6feb