On 10.10.2011 13:14, Dr. Stephen Henson wrote:
On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote:
Hello,
My PKI is currently running on a 32 bit machine with Open SSL
version 0.9.8 suffering from the Y2038 bug. Another 64 bit machine
does not show that bug.
What I need for now is a CA certificate for signing which should
have a validity that extends beyond 2038, say 2050. I can create
such a certificate on the 64 bit machine, no problem. If I use this
certificate on the 32 bit machine to sign certificates created on
the 32 bit machine, will this work, i.e. will the Y2038 bug not show
up as long as the certificate I am signing expires before the
critical date? Or: will Open SSL on the 32 bit machine deal
correctly with the signing certificate that expires 2050, even
though it can't create such a certificate?
Yes all versions of OpenSSL should correctly verify any date in a certificate.
If you use OpenSSL 1.0.0 or later you shoudln't see the 2038 issue on any
platform because OpenSSL uses its own internal date routines to bypass the
limitations of system routines.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
Hello Steve,
Many thanks for the answer; good to know that this will work.
I know that OpenSSL 1.0.0 has this bug fixed for 32 bit systems too. As
I don't wont to 'pollute' the Debian system running Open SSL 0.9.8 I
will not compile the new Version myself. I will therefore have to wait
until - at least until it appears in backports.
Felix
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
