Re: [ovs-dev] [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to fix 32-bit OpenSSL.

Ben Pfaff Wed, 08 May 2013 10:22:00 -0700

On Tue, May 07, 2013 at 04:58:24PM -0700, Gurucharan Shetty wrote:
> On Tue, May 7, 2013 at 4:34 PM, Ben Pfaff <b...@nicira.com> wrote:
> 
> > Before I applied this commit, when I generated CA certificate with OpenSSL
> > 0.9.8o on my 32-bit Debian system, I got a certificate that expired
> > sometime in 1977.  This made all SSL-based tests fail with an invalid
> > certificate.
> >
> > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
> > This commit works around the problem by reducing the validity period of
> > certificates to 10 years.
> >
> > CC: Gurucharan Shetty <gshe...@nicira.com>
> > Signed-off-by: Ben Pfaff <b...@nicira.com>
> > ---
> >  utilities/ovs-pki.in |    6 +++---
> >  1 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> > index 1cf9274..cfcb831 100755
> > --- a/utilities/ovs-pki.in
> > +++ b/utilities/ovs-pki.in
> > @@ -1,6 +1,6 @@
> >  #! /bin/sh
> >
> > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
> > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
> >  #
> >  # Licensed under the Apache License, Version 2.0 (the "License");
> >  # you may not use this file except in compliance with the License.
> > @@ -272,7 +272,7 @@ certificate    = $dir/cacert.pem       # The CA cert
> >  serial         = $dir/serial           # serial no file
> >  private_key    = $dir/private/cakey.pem# CA private key
> >  RANDFILE       = $dir/private/.rand    # random number file
> > -default_days   = 36525                 # how long to certify for
> > +default_days   = 3650                  # how long to certify for
> >  default_crl_days= 30                   # how long before next CRL
> >  default_md     = md5                   # md to use
> >  policy         = policy                # default policy
> > @@ -303,7 +303,7 @@ EOF
> >              -newkey $newkey -keyout private/cakey.pem -out careq.pem \
> >              1>&3 2>&3
> >          openssl ca -config ca.cnf -create_serial -out cacert.pem \
> > -            -days 36525 -batch -keyfile private/cakey.pem -selfsign \
> > +            -days 3650 -batch -keyfile private/cakey.pem -selfsign \
> >              -infiles careq.pem 1>&3 2>&3
> >          chmod 0700 private/cakey.pem
> 
> 
> There is one more place in ovs-pki that needs this change. (self-sign block)


You're right.  Thanks for spotting that.  Revised patch appended.
How's it look?

> Else looks good to me. I guess, it needs back-porting.

Yes, I'll do that.

Thanks,

Ben.

--8<--------------------------cut here-------------------------->8--

From: Ben Pfaff <b...@nicira.com>
Date: Wed, 8 May 2013 10:20:10 -0700
Subject: [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to fix 
32-bit OpenSSL.

Before I applied this commit, when I generated CA certificate with OpenSSL
0.9.8o on my 32-bit Debian system, I got a certificate that expired
sometime in 1977.  This made all SSL-based tests fail with an invalid
certificate.

32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
This commit works around the problem by reducing the validity period of
certificates to 10 years.

CC: Gurucharan Shetty <gshe...@nicira.com>
Signed-off-by: Ben Pfaff <b...@nicira.com>
---
 utilities/ovs-pki.in |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 1cf9274..501b06e 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -272,7 +272,7 @@ certificate    = $dir/cacert.pem       # The CA cert
 serial         = $dir/serial           # serial no file
 private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
-default_days   = 36525                 # how long to certify for
+default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = md5                   # md to use
 policy         = policy                # default policy
@@ -303,7 +303,7 @@ EOF
             -newkey $newkey -keyout private/cakey.pem -out careq.pem \
             1>&3 2>&3
         openssl ca -config ca.cnf -create_serial -out cacert.pem \
-            -days 36525 -batch -keyfile private/cakey.pem -selfsign \
+            -days 3650 -batch -keyfile private/cakey.pem -selfsign \
             -infiles careq.pem 1>&3 2>&3
         chmod 0700 private/cakey.pem
 
@@ -514,7 +514,7 @@ elif test "$command" = self-sign; then
     # Create both the private key and certificate with restricted permissions.
     (umask 077 && \
      openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
-        -signkey "$arg1-privkey.pem" -req -days 36525 -text) 2>&3 || exit $?
+        -signkey "$arg1-privkey.pem" -req -days 3650 -text) 2>&3 || exit $?
 
     # Reset the permissions on the certificate to the user's default.
     cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
-- 
1.7.2.5

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to fix 32-bit OpenSSL.

Reply via email to