tests: test mtls also w/ clientAuth EKU only

The google chrome root program will stop allowing roots that have both clientAuth and ServerAuth [1]. In one of the mtls tests, use a certificate with only the clientAuth EKU. [1] https://googlechrome.github.io/chromerootprogram/#322-pki-hierarchies-included-in-the-chrome-root-store Closes #17493
2026-04-11 12:01:42 +08:00 · 2025-05-30 18:59:14 +03:00 · 2025-05-30 18:59:14 +03:00 · 2cf19c245e
commit 2cf19c245e
parent b53848738c
3 changed files with 37 additions and 2 deletions
--- a/tests/certs/Makefile.inc
+++ b/tests/certs/Makefile.inc
@ -31,7 +31,8 @@ CERTCONFIGS = \
  test-localhost0h.prm \
  test-localhost-san-first.prm \
  test-localhost-san-last.prm \
-  test-client-cert.prm
+  test-client-cert.prm \
+  test-client-eku-only.prm

 GENERATEDCERTS = \
  test-ca.cacert \
--- a/tests/certs/test-client-eku-only.prm
+++ b/tests/certs/test-client-eku-only.prm
@ -0,0 +1,34 @@
+extensions = x509v3
+
+[ x509v3 ]
+subjectAltName          = DNS:localhost
+keyUsage                = keyEncipherment,digitalSignature,keyAgreement
+extendedKeyUsage        = clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+basicConstraints        = CA:false
+authorityInfoAccess     = @issuer_info
+crlDistributionPoints   = @crl_info
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
+authorityInfoAccess     = @issuer_info
+
+[ issuer_info ]
+caIssuers;URI.0         = http://test.curl.se/ca/EdelCurlRoot.cer
+
+[ crl_info ]
+URI.0                   = http://test.curl.se/ca/EdelCurlRoot.crl
+
+[ req ]
+distinguished_name      = req_DN
+default_md              = sha256
+string_mask             = utf8only
+
+[ req_DN ]
+countryName             = "Country Name is Northern Nowhere"
+countryName_value       = NN
+organizationName        = "Organization Name"
+organizationName_value  = Edel Curl Arctic Illudium Research Cloud
+commonName              = "Common Name"
+commonName_value        = localhost
--- a/tests/data/test2088
+++ b/tests/data/test2088
@ -37,7 +37,7 @@ https-mtls
 HTTPS GET with client authentication (mtls)
 </name>
 <command>
--cacert %CERTDIR/certs/test-ca.crt --cert %CERTDIR/certs/test-client-cert.crt --key %CERTDIR/certs/test-client-cert.key https://localhost:%HTTPS-MTLSPORT/%TESTNUMBER
+--cacert %CERTDIR/certs/test-ca.crt --cert %CERTDIR/certs/test-client-eku-only.crt --key %CERTDIR/certs/test-client-eku-only.key https://localhost:%HTTPS-MTLSPORT/%TESTNUMBER
 </command>
 </client>