On Wed, May 08, 2013 at 10:25:22AM -0700, Gurucharan Shetty wrote: > On Wed, May 8, 2013 at 10:21 AM, Ben Pfaff <b...@nicira.com> wrote: > > > On Tue, May 07, 2013 at 04:58:24PM -0700, Gurucharan Shetty wrote: > > > On Tue, May 7, 2013 at 4:34 PM, Ben Pfaff <b...@nicira.com> wrote: > > > > > > > Before I applied this commit, when I generated CA certificate with > > OpenSSL > > > > 0.9.8o on my 32-bit Debian system, I got a certificate that expired > > > > sometime in 1977. This made all SSL-based tests fail with an invalid > > > > certificate. > > > > > > > > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL. > > > > This commit works around the problem by reducing the validity period of > > > > certificates to 10 years. > > > > > > > > > CC: Gurucharan Shetty <gshe...@nicira.com> > > > > Signed-off-by: Ben Pfaff <b...@nicira.com> > > > > --- > > > > utilities/ovs-pki.in | 6 +++--- > > > > 1 files changed, 3 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in > > > > index 1cf9274..cfcb831 100755 > > > > --- a/utilities/ovs-pki.in > > > > +++ b/utilities/ovs-pki.in > > > > @@ -1,6 +1,6 @@ > > > > #! /bin/sh > > > > > > > > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc. > > > > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc. > > > > # > > > > # Licensed under the Apache License, Version 2.0 (the "License"); > > > > # you may not use this file except in compliance with the License. > > > > @@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA > > cert > > > > serial = $dir/serial # serial no file > > > > private_key = $dir/private/cakey.pem# CA private key > > > > RANDFILE = $dir/private/.rand # random number file > > > > -default_days = 36525 # how long to certify for > > > > +default_days = 3650 # how long to certify for > > > > default_crl_days= 30 # how long before next CRL > > > > default_md = md5 # md to use > > > > policy = policy # default policy > > > > @@ -303,7 +303,7 @@ EOF > > > > -newkey $newkey -keyout private/cakey.pem -out careq.pem \ > > > > 1>&3 2>&3 > > > > openssl ca -config ca.cnf -create_serial -out cacert.pem \ > > > > - -days 36525 -batch -keyfile private/cakey.pem -selfsign \ > > > > + -days 3650 -batch -keyfile private/cakey.pem -selfsign \ > > > > -infiles careq.pem 1>&3 2>&3 > > > > chmod 0700 private/cakey.pem > > > > > > > > > There is one more place in ovs-pki that needs this change. (self-sign > > block) > > > > You're right. Thanks for spotting that. Revised patch appended. > > How's it look? > > > > > Else looks good to me. I guess, it needs back-porting. > > > > Yes, I'll do that. > > > > Thanks, > > > > Ben. > > > > --8<--------------------------cut here-------------------------->8-- > > > > From: Ben Pfaff <b...@nicira.com> > > Date: Wed, 8 May 2013 10:20:10 -0700 > > Subject: [PATCH] ovs-pki: Reduce CA certificate validity to 10 years to > > fix 32-bit OpenSSL. > > > > Before I applied this commit, when I generated CA certificate with OpenSSL > > 0.9.8o on my 32-bit Debian system, I got a certificate that expired > > sometime in 1977. This made all SSL-based tests fail with an invalid > > certificate. > > > > 32-bit time_t only extends to 2038, so this must be a bug in OpenSSL. > > This commit works around the problem by reducing the validity period of > > certificates to 10 years. > > > > CC: Gurucharan Shetty <gshe...@nicira.com> > > Signed-off-by: Ben Pfaff <b...@nicira.com> > > --- > > utilities/ovs-pki.in | 8 ++++---- > > 1 files changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in > > index 1cf9274..501b06e 100755 > > --- a/utilities/ovs-pki.in > > +++ b/utilities/ovs-pki.in > > @@ -1,6 +1,6 @@ > > #! /bin/sh > > > > -# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc. > > +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc. > > # > > # Licensed under the Apache License, Version 2.0 (the "License"); > > # you may not use this file except in compliance with the License. > > @@ -272,7 +272,7 @@ certificate = $dir/cacert.pem # The CA cert > > serial = $dir/serial # serial no file > > private_key = $dir/private/cakey.pem# CA private key > > RANDFILE = $dir/private/.rand # random number file > > -default_days = 36525 # how long to certify for > > +default_days = 3650 # how long to certify for > > default_crl_days= 30 # how long before next CRL > > default_md = md5 # md to use > > policy = policy # default policy > > @@ -303,7 +303,7 @@ EOF > > -newkey $newkey -keyout private/cakey.pem -out careq.pem \ > > 1>&3 2>&3 > > openssl ca -config ca.cnf -create_serial -out cacert.pem \ > > - -days 36525 -batch -keyfile private/cakey.pem -selfsign \ > > + -days 3650 -batch -keyfile private/cakey.pem -selfsign \ > > -infiles careq.pem 1>&3 2>&3 > > chmod 0700 private/cakey.pem > > > > @@ -514,7 +514,7 @@ elif test "$command" = self-sign; then > > # Create both the private key and certificate with restricted > > permissions. > > (umask 077 && \ > > openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \ > > - -signkey "$arg1-privkey.pem" -req -days 36525 -text) 2>&3 || exit > > $? > > + -signkey "$arg1-privkey.pem" -req -days 3650 -text) 2>&3 || exit > > $? > > > > # Reset the permissions on the certificate to the user's default. > > cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" > > -- > > 1.7.2.5 > > > Looks good to me. > Thanks, > Guru
Thanks, applied and backported to branch-1.11. It looks like branch-1.10 didn't have the 100-year validity, so that's where I stopped backporting. Thanks, Ben. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
