[ovs-dev] [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to fix 32-bit OpenSSL.
Gurucharan Shetty
shettyg at nicira.com
Tue May 7 23:58:24 UTC 2013
On Tue, May 7, 2013 at 4:34 PM, Ben Pfaff <blp at nicira.com> wrote:
> Before I applied this commit, when I generated CA certificate with OpenSSL
> 0.9.8o on my 32-bit Debian system, I got a certificate that expired
> sometime in 1977. This made all SSL-based tests fail with an invalid
> certificate.
>
> 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
> This commit works around the problem by reducing the validity period of
> certificates to 10 years.
>
> CC: Gurucharan Shetty <gshetty at nicira.com>
> Signed-off-by: Ben Pfaff <blp at nicira.com>
> ---
> utilities/ovs-pki.in | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> index 1cf9274..cfcb831 100755
> --- a/utilities/ovs-pki.in
> +++ b/utilities/ovs-pki.in
> @@ -1,6 +1,6 @@
> #! /bin/sh
>
> -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
> +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
> #
> # Licensed under the Apache License, Version 2.0 (the "License");
> # you may not use this file except in compliance with the License.
> @@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA cert
> serial = $dir/serial # serial no file
> private_key = $dir/private/cakey.pem# CA private key
> RANDFILE = $dir/private/.rand # random number file
> -default_days = 36525 # how long to certify for
> +default_days = 3650 # how long to certify for
> default_crl_days= 30 # how long before next CRL
> default_md = md5 # md to use
> policy = policy # default policy
> @@ -303,7 +303,7 @@ EOF
> -newkey $newkey -keyout private/cakey.pem -out careq.pem \
> 1>&3 2>&3
> openssl ca -config ca.cnf -create_serial -out cacert.pem \
> - -days 36525 -batch -keyfile private/cakey.pem -selfsign \
> + -days 3650 -batch -keyfile private/cakey.pem -selfsign \
> -infiles careq.pem 1>&3 2>&3
> chmod 0700 private/cakey.pem
There is one more place in ovs-pki that needs this change. (self-sign block)
Else looks good to me. I guess, it needs back-porting.
> --
> 1.7.2.5
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20130507/1545b0d6/attachment-0003.html>
More information about the dev
mailing list