[openssl-dev] [openssl.org #3788] Bug: Certificate expiration date error for 9000+ days
Stephen Henson via RT
rt at openssl.org
Sat Apr 11 11:44:15 UTC 2015
On Wed Apr 08 17:20:33 2015, khovayko at gmail.com wrote:
> Hi,
>
> I am using FreeBSD 8.2, 32bits i386, OpenSSL package:
> openssl-1.0.1_18 SSL and crypto library
>
> During certificate generation, I found the bug:
> If request CA-lifespan too long, then expiration date drops into far
> past, and
> CA-certificate is invalid.
>
> Moreover, this is no any error message print, everything works, and
> this
> certicicate signs another client certificates.
> But, when I rtied login with these client certs, I received error:
> ssl_error_expired_cert_alert - Mozilla, Seamonkey
> ssl_error_bad_cert_alert - Chrome
>
> I assume, problem in the signed int overflow.
>
> See bug example following:
>
> If request 10000 days, then expiration date written in 1906!
>
That's strange. Could you somehow be using OpenSSL 0.9.8 to generate that
certificate? That's a known bug on older versions and 32 bits but 1.0.1
includes its own date routines. I just tried this with a 32 bit build and the
latest 1.0.1 branch and get:
Validity
Not Before: Apr 11 11:41:26 2015 GMT
Not After : Aug 27 11:41:26 2042 GMT
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list