Before I applied this commit, when I generated CA certificate with OpenSSL
0.9.8o on my 32-bit Debian system, I got a certificate that expired
sometime in 1977. This made all SSL-based tests fail with an invalid
certificate.
32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
This commit works around the problem by reducing the validity period of
certificates to 10 years.
CC: Gurucharan Shetty <gshe...@nicira.com>
Signed-off-by: Ben Pfaff <b...@nicira.com>
---
utilities/ovs-pki.in | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 1cf9274..cfcb831 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
#! /bin/sh
-# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
-default_days = 36525 # how long to certify for
+default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy # default policy
@@ -303,7 +303,7 @@ EOF
-newkey $newkey -keyout private/cakey.pem -out careq.pem \
1>&3 2>&3
openssl ca -config ca.cnf -create_serial -out cacert.pem \
- -days 36525 -batch -keyfile private/cakey.pem -selfsign \
+ -days 3650 -batch -keyfile private/cakey.pem -selfsign \
-infiles careq.pem 1>&3 2>&3
chmod 0700 private/cakey.pem
--
1.7.2.5
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
