[ovs-dev] [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to fix 32-bit OpenSSL.
Ben Pfaff
blp at nicira.com
Wed May 8 17:32:33 UTC 2013
On Wed, May 08, 2013 at 10:25:22AM -0700, Gurucharan Shetty wrote:
> On Wed, May 8, 2013 at 10:21 AM, Ben Pfaff <blp at nicira.com> wrote:
>
> > On Tue, May 07, 2013 at 04:58:24PM -0700, Gurucharan Shetty wrote:
> > > On Tue, May 7, 2013 at 4:34 PM, Ben Pfaff <blp at nicira.com> wrote:
> > >
> > > > Before I applied this commit, when I generated CA certificate with
> > OpenSSL
> > > > 0.9.8o on my 32-bit Debian system, I got a certificate that expired
> > > > sometime in 1977. This made all SSL-based tests fail with an invalid
> > > > certificate.
> > > >
> > > > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
> > > > This commit works around the problem by reducing the validity period of
> > > > certificates to 10 years.
> >
> > >
> > > > CC: Gurucharan Shetty <gshetty at nicira.com>
> > > > Signed-off-by: Ben Pfaff <blp at nicira.com>
> > > > ---
> > > > utilities/ovs-pki.in | 6 +++---
> > > > 1 files changed, 3 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> > > > index 1cf9274..cfcb831 100755
> > > > --- a/utilities/ovs-pki.in
> > > > +++ b/utilities/ovs-pki.in
> > > > @@ -1,6 +1,6 @@
> > > > #! /bin/sh
> > > >
> > > > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
> > > > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
> > > > #
> > > > # Licensed under the Apache License, Version 2.0 (the "License");
> > > > # you may not use this file except in compliance with the License.
> > > > @@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA
> > cert
> > > > serial = $dir/serial # serial no file
> > > > private_key = $dir/private/cakey.pem# CA private key
> > > > RANDFILE = $dir/private/.rand # random number file
> > > > -default_days = 36525 # how long to certify for
> > > > +default_days = 3650 # how long to certify for
> > > > default_crl_days= 30 # how long before next CRL
> > > > default_md = md5 # md to use
> > > > policy = policy # default policy
> > > > @@ -303,7 +303,7 @@ EOF
> > > > -newkey $newkey -keyout private/cakey.pem -out careq.pem \
> > > > 1>&3 2>&3
> > > > openssl ca -config ca.cnf -create_serial -out cacert.pem \
> > > > - -days 36525 -batch -keyfile private/cakey.pem -selfsign \
> > > > + -days 3650 -batch -keyfile private/cakey.pem -selfsign \
> > > > -infiles careq.pem 1>&3 2>&3
> > > > chmod 0700 private/cakey.pem
> > >
> > >
> > > There is one more place in ovs-pki that needs this change. (self-sign
> > block)
> >
> > You're right. Thanks for spotting that. Revised patch appended.
> > How's it look?
> >
> > > Else looks good to me. I guess, it needs back-porting.
> >
> > Yes, I'll do that.
> >
> > Thanks,
> >
> > Ben.
> >
> > --8<--------------------------cut here-------------------------->8--
> >
> > From: Ben Pfaff <blp at nicira.com>
> > Date: Wed, 8 May 2013 10:20:10 -0700
> > Subject: [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to
> > fix 32-bit OpenSSL.
> >
> > Before I applied this commit, when I generated CA certificate with OpenSSL
> > 0.9.8o on my 32-bit Debian system, I got a certificate that expired
> > sometime in 1977. This made all SSL-based tests fail with an invalid
> > certificate.
> >
> > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
> > This commit works around the problem by reducing the validity period of
> > certificates to 10 years.
> >
> > CC: Gurucharan Shetty <gshetty at nicira.com>
> > Signed-off-by: Ben Pfaff <blp at nicira.com>
> > ---
> > utilities/ovs-pki.in | 8 ++++----
> > 1 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> > index 1cf9274..501b06e 100755
> > --- a/utilities/ovs-pki.in
> > +++ b/utilities/ovs-pki.in
> > @@ -1,6 +1,6 @@
> > #! /bin/sh
> >
> > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
> > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
> > #
> > # Licensed under the Apache License, Version 2.0 (the "License");
> > # you may not use this file except in compliance with the License.
> > @@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA cert
> > serial = $dir/serial # serial no file
> > private_key = $dir/private/cakey.pem# CA private key
> > RANDFILE = $dir/private/.rand # random number file
> > -default_days = 36525 # how long to certify for
> > +default_days = 3650 # how long to certify for
> > default_crl_days= 30 # how long before next CRL
> > default_md = md5 # md to use
> > policy = policy # default policy
> > @@ -303,7 +303,7 @@ EOF
> > -newkey $newkey -keyout private/cakey.pem -out careq.pem \
> > 1>&3 2>&3
> > openssl ca -config ca.cnf -create_serial -out cacert.pem \
> > - -days 36525 -batch -keyfile private/cakey.pem -selfsign \
> > + -days 3650 -batch -keyfile private/cakey.pem -selfsign \
> > -infiles careq.pem 1>&3 2>&3
> > chmod 0700 private/cakey.pem
> >
> > @@ -514,7 +514,7 @@ elif test "$command" = self-sign; then
> > # Create both the private key and certificate with restricted
> > permissions.
> > (umask 077 && \
> > openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
> > - -signkey "$arg1-privkey.pem" -req -days 36525 -text) 2>&3 || exit
> > $?
> > + -signkey "$arg1-privkey.pem" -req -days 3650 -text) 2>&3 || exit
> > $?
> >
> > # Reset the permissions on the certificate to the user's default.
> > cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
> > --
> > 1.7.2.5
> >
> Looks good to me.
> Thanks,
> Guru
Thanks, applied and backported to branch-1.11. It looks like
branch-1.10 didn't have the 100-year validity, so that's where I
stopped backporting.
Thanks,
Ben.
More information about the dev
mailing list