[openssl-dev] [openssl.org #3788] Bug: Certificate expiration date error for 9000+ days
Oleg Khovayko via RT
rt at openssl.org
Sat Apr 11 16:45:51 UTC 2015
Yes, you right!
When I build custom OpenSSL for upgrade, it installs package into
/usr/local/bin, not /usr/bin.
In the /usr/bin/ runs old 0.9.8.
I fixed error by:
cd /usr/bin
mv openssl openssl-orig-0.9.8
ln -s /usr/local/bin/openssl .
Thanks for suggestion, and sorry for disturbing!
Please, close this ticket. Maybe, good idea write warning for FreeBSD users.
Thanks,
Oleg
PS:
Also, just for your information:
We created PKI for OpenSSH public keys, based on cryptocurrency blockchain.
See details here: http://emercoin.com/EmerCoin_and_OpenSSH
If you found it useful and have any questions/suggestions, you're welcome.
Stephen Henson via RT wrote:
On Wed Apr 08 17:20:33 2015, khovayko at gmail.com wrote:
Hi,
I am using FreeBSD 8.2, 32bits i386, OpenSSL package:
openssl-1.0.1_18 SSL and crypto library
During certificate generation, I found the bug:
If request CA-lifespan too long, then expiration date drops into far
past, and
CA-certificate is invalid.
Moreover, this is no any error message print, everything works, and
this
certicicate signs another client certificates.
But, when I rtied login with these client certs, I received error:
ssl_error_expired_cert_alert - Mozilla, Seamonkey
ssl_error_bad_cert_alert - Chrome
I assume, problem in the signed int overflow.
See bug example following:
If request 10000 days, then expiration date written in 1906!
That's strange. Could you somehow be using OpenSSL 0.9.8 to generate that
certificate? That's a known bug on older versions and 32 bits but 1.0.1
includes its own date routines. I just tried this with a 32 bit build and the
latest 1.0.1 branch and get:
Validity
Not Before: Apr 11 11:41:26 2015 GMT
Not After : Aug 27 11:41:26 2042 GMT
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list