[ovs-dev] [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to fix 32-bit OpenSSL.

Gurucharan Shetty shettyg at nicira.com
Wed May 8 17:25:22 UTC 2013


On Wed, May 8, 2013 at 10:21 AM, Ben Pfaff <blp at nicira.com> wrote:

> On Tue, May 07, 2013 at 04:58:24PM -0700, Gurucharan Shetty wrote:
> > On Tue, May 7, 2013 at 4:34 PM, Ben Pfaff <blp at nicira.com> wrote:
> >
> > > Before I applied this commit, when I generated CA certificate with
> OpenSSL
> > > 0.9.8o on my 32-bit Debian system, I got a certificate that expired
> > > sometime in 1977.  This made all SSL-based tests fail with an invalid
> > > certificate.
> > >
> > > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
> > > This commit works around the problem by reducing the validity period of
> > > certificates to 10 years.
>
> >
> > > CC: Gurucharan Shetty <gshetty at nicira.com>
> > > Signed-off-by: Ben Pfaff <blp at nicira.com>
> > > ---
> > >  utilities/ovs-pki.in |    6 +++---
> > >  1 files changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> > > index 1cf9274..cfcb831 100755
> > > --- a/utilities/ovs-pki.in
> > > +++ b/utilities/ovs-pki.in
> > > @@ -1,6 +1,6 @@
> > >  #! /bin/sh
> > >
> > > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
> > > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
> > >  #
> > >  # Licensed under the Apache License, Version 2.0 (the "License");
> > >  # you may not use this file except in compliance with the License.
> > > @@ -272,7 +272,7 @@ certificate    = $dir/cacert.pem       # The CA
> cert
> > >  serial         = $dir/serial           # serial no file
> > >  private_key    = $dir/private/cakey.pem# CA private key
> > >  RANDFILE       = $dir/private/.rand    # random number file
> > > -default_days   = 36525                 # how long to certify for
> > > +default_days   = 3650                  # how long to certify for
> > >  default_crl_days= 30                   # how long before next CRL
> > >  default_md     = md5                   # md to use
> > >  policy         = policy                # default policy
> > > @@ -303,7 +303,7 @@ EOF
> > >              -newkey $newkey -keyout private/cakey.pem -out careq.pem \
> > >              1>&3 2>&3
> > >          openssl ca -config ca.cnf -create_serial -out cacert.pem \
> > > -            -days 36525 -batch -keyfile private/cakey.pem -selfsign \
> > > +            -days 3650 -batch -keyfile private/cakey.pem -selfsign \
> > >              -infiles careq.pem 1>&3 2>&3
> > >          chmod 0700 private/cakey.pem
> >
> >
> > There is one more place in ovs-pki that needs this change. (self-sign
> block)
>
> You're right.  Thanks for spotting that.  Revised patch appended.
> How's it look?
>
> > Else looks good to me. I guess, it needs back-porting.
>
> Yes, I'll do that.
>
> Thanks,
>
> Ben.
>
> --8<--------------------------cut here-------------------------->8--
>
> From: Ben Pfaff <blp at nicira.com>
> Date: Wed, 8 May 2013 10:20:10 -0700
> Subject: [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to
> fix 32-bit OpenSSL.
>
> Before I applied this commit, when I generated CA certificate with OpenSSL
> 0.9.8o on my 32-bit Debian system, I got a certificate that expired
> sometime in 1977.  This made all SSL-based tests fail with an invalid
> certificate.
>
> 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
> This commit works around the problem by reducing the validity period of
> certificates to 10 years.
>
> CC: Gurucharan Shetty <gshetty at nicira.com>
> Signed-off-by: Ben Pfaff <blp at nicira.com>
> ---
>  utilities/ovs-pki.in |    8 ++++----
>  1 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> index 1cf9274..501b06e 100755
> --- a/utilities/ovs-pki.in
> +++ b/utilities/ovs-pki.in
> @@ -1,6 +1,6 @@
>  #! /bin/sh
>
> -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
> +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
>  #
>  # Licensed under the Apache License, Version 2.0 (the "License");
>  # you may not use this file except in compliance with the License.
> @@ -272,7 +272,7 @@ certificate    = $dir/cacert.pem       # The CA cert
>  serial         = $dir/serial           # serial no file
>  private_key    = $dir/private/cakey.pem# CA private key
>  RANDFILE       = $dir/private/.rand    # random number file
> -default_days   = 36525                 # how long to certify for
> +default_days   = 3650                  # how long to certify for
>  default_crl_days= 30                   # how long before next CRL
>  default_md     = md5                   # md to use
>  policy         = policy                # default policy
> @@ -303,7 +303,7 @@ EOF
>              -newkey $newkey -keyout private/cakey.pem -out careq.pem \
>              1>&3 2>&3
>          openssl ca -config ca.cnf -create_serial -out cacert.pem \
> -            -days 36525 -batch -keyfile private/cakey.pem -selfsign \
> +            -days 3650 -batch -keyfile private/cakey.pem -selfsign \
>              -infiles careq.pem 1>&3 2>&3
>          chmod 0700 private/cakey.pem
>
> @@ -514,7 +514,7 @@ elif test "$command" = self-sign; then
>      # Create both the private key and certificate with restricted
> permissions.
>      (umask 077 && \
>       openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
> -        -signkey "$arg1-privkey.pem" -req -days 36525 -text) 2>&3 || exit
> $?
> +        -signkey "$arg1-privkey.pem" -req -days 3650 -text) 2>&3 || exit
> $?
>
>      # Reset the permissions on the certificate to the user's default.
>      cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
> --
> 1.7.2.5
>
Looks good to me.
Thanks,
Guru
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20130508/efcc4fde/attachment-0003.html>


More information about the dev mailing list