On Wed, May 8, 2013 at 10:21 AM, Ben Pfaff <b...@nicira.com> wrote:
> On Tue, May 07, 2013 at 04:58:24PM -0700, Gurucharan Shetty wrote: > > On Tue, May 7, 2013 at 4:34 PM, Ben Pfaff <b...@nicira.com> wrote: > > > > > Before I applied this commit, when I generated CA certificate with > OpenSSL > > > 0.9.8o on my 32-bit Debian system, I got a certificate that expired > > > sometime in 1977. This made all SSL-based tests fail with an invalid > > > certificate. > > > > > > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL. > > > This commit works around the problem by reducing the validity period of > > > certificates to 10 years. > > > > > > CC: Gurucharan Shetty <gshe...@nicira.com> > > > Signed-off-by: Ben Pfaff <b...@nicira.com> > > > --- > > > utilities/ovs-pki.in | 6 +++--- > > > 1 files changed, 3 insertions(+), 3 deletions(-) > > > > > > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in > > > index 1cf9274..cfcb831 100755 > > > --- a/utilities/ovs-pki.in > > > +++ b/utilities/ovs-pki.in > > > @@ -1,6 +1,6 @@ > > > #! /bin/sh > > > > > > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc. > > > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc. > > > # > > > # Licensed under the Apache License, Version 2.0 (the "License"); > > > # you may not use this file except in compliance with the License. > > > @@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA > cert > > > serial = $dir/serial # serial no file > > > private_key = $dir/private/cakey.pem# CA private key > > > RANDFILE = $dir/private/.rand # random number file > > > -default_days = 36525 # how long to certify for > > > +default_days = 3650 # how long to certify for > > > default_crl_days= 30 # how long before next CRL > > > default_md = md5 # md to use > > > policy = policy # default policy > > > @@ -303,7 +303,7 @@ EOF > > > -newkey $newkey -keyout private/cakey.pem -out careq.pem \ > > > 1>&3 2>&3 > > > openssl ca -config ca.cnf -create_serial -out cacert.pem \ > > > - -days 36525 -batch -keyfile private/cakey.pem -selfsign \ > > > + -days 3650 -batch -keyfile private/cakey.pem -selfsign \ > > > -infiles careq.pem 1>&3 2>&3 > > > chmod 0700 private/cakey.pem > > > > > > There is one more place in ovs-pki that needs this change. (self-sign > block) > > You're right. Thanks for spotting that. Revised patch appended. > How's it look? > > > Else looks good to me. I guess, it needs back-porting. > > Yes, I'll do that. > > Thanks, > > Ben. > > --8<--------------------------cut here-------------------------->8-- > > From: Ben Pfaff <b...@nicira.com> > Date: Wed, 8 May 2013 10:20:10 -0700 > Subject: [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to > fix 32-bit OpenSSL. > > Before I applied this commit, when I generated CA certificate with OpenSSL > 0.9.8o on my 32-bit Debian system, I got a certificate that expired > sometime in 1977. This made all SSL-based tests fail with an invalid > certificate. > > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL. > This commit works around the problem by reducing the validity period of > certificates to 10 years. > > CC: Gurucharan Shetty <gshe...@nicira.com> > Signed-off-by: Ben Pfaff <b...@nicira.com> > --- > utilities/ovs-pki.in | 8 ++++---- > 1 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in > index 1cf9274..501b06e 100755 > --- a/utilities/ovs-pki.in > +++ b/utilities/ovs-pki.in > @@ -1,6 +1,6 @@ > #! /bin/sh > > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc. > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc. > # > # Licensed under the Apache License, Version 2.0 (the "License"); > # you may not use this file except in compliance with the License. > @@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA cert > serial = $dir/serial # serial no file > private_key = $dir/private/cakey.pem# CA private key > RANDFILE = $dir/private/.rand # random number file > -default_days = 36525 # how long to certify for > +default_days = 3650 # how long to certify for > default_crl_days= 30 # how long before next CRL > default_md = md5 # md to use > policy = policy # default policy > @@ -303,7 +303,7 @@ EOF > -newkey $newkey -keyout private/cakey.pem -out careq.pem \ > 1>&3 2>&3 > openssl ca -config ca.cnf -create_serial -out cacert.pem \ > - -days 36525 -batch -keyfile private/cakey.pem -selfsign \ > + -days 3650 -batch -keyfile private/cakey.pem -selfsign \ > -infiles careq.pem 1>&3 2>&3 > chmod 0700 private/cakey.pem > > @@ -514,7 +514,7 @@ elif test "$command" = self-sign; then > # Create both the private key and certificate with restricted > permissions. > (umask 077 && \ > openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \ > - -signkey "$arg1-privkey.pem" -req -days 36525 -text) 2>&3 || exit > $? > + -signkey "$arg1-privkey.pem" -req -days 3650 -text) 2>&3 || exit > $? > > # Reset the permissions on the certificate to the user's default. > cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" > -- > 1.7.2.5 > Looks good to me. Thanks, Guru
_______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
