[openssl-dev] [openssl.org #3788] Bug: Certificate expiration date error for 9000+ days

Oleg Khovayko via RT rt at openssl.org
Sat Apr 11 16:39:34 UTC 2015


Yes, you right!

When I build custom OpenSSL for upgrade, it installs package into 
/usr/local/bin, not /usr/bin.
In the /usr/bin/ runs old 0.9.8.

I fixed error by:
cd /usr/bin
mv openssl openssl-orig-0.9.8
ln -s /usr/local/bin/openssl .

Thanks for suggestion, and sorry for disturbing!
Please, close this ticket. Maybe, good idea write warning for BSD users.

Thanks,
Oleg


Stephen Henson via RT wrote:
> On Wed Apr 08 17:20:33 2015, khovayko at gmail.com wrote:
>> Hi,
>>
>> I am using FreeBSD 8.2, 32bits i386, OpenSSL package:
>> openssl-1.0.1_18 SSL and crypto library
>>
>> During certificate generation, I found the bug:
>> If request CA-lifespan too long, then expiration date drops into far
>> past, and
>> CA-certificate is invalid.
>>
>> Moreover, this is no any error message print, everything works, and
>> this
>> certicicate signs another client certificates.
>> But, when I rtied login with these client certs, I received error:
>> ssl_error_expired_cert_alert - Mozilla, Seamonkey
>> ssl_error_bad_cert_alert - Chrome
>>
>> I assume, problem in the signed int overflow.
>>
>> See bug example following:
>>
>> If request 10000 days, then expiration date written in 1906!
>>
> That's strange. Could you somehow be using OpenSSL 0.9.8 to generate that
> certificate? That's a known bug on older versions and 32 bits but 1.0.1
> includes its own date routines. I just tried this with a 32 bit build and the
> latest 1.0.1 branch and get:
>
> Validity
> Not Before: Apr 11 11:41:26 2015 GMT
> Not After : Aug 27 11:41:26 2042 GMT
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>




More information about the openssl-dev mailing list