[Pkg-openssl-devel] Bug#449553: Wrong "Not After" date if too many days specified - time_t overflow?
Adam Majer
adamm at zombino.com
Tue Nov 6 16:21:54 UTC 2007
Package: openssl
Version: 0.9.8e-9
Severity: important
Trying to generate a certificate that is too far in the future, seems
to result in invalid dates at least as portrayed by openssl
utility. This may be a cosmetic thing and the certificate is still
correct, but as is, the dates are wrong.
The following is about 12 years into the future:
adamm at mira:/tmp/t$ openssl ca -in t -out cert.pem -keyfile privkey.pem
-selfsign -days 13650 -outdir `pwd`
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for privkey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Nov 6 16:11:48 2007 GMT
Not After : Feb 13 09:43:32 1909 GMT
Subject:
countryName = CA
stateOrProvinceName = Man
organizationName = Widget
organizationalUnitName = test
commonName = zombino
emailAddress = test at galsoft.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7
X509v3 Authority Key Identifier:
keyid:E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7
Certificate is to be certified until Sep 2 13:09:43 2019 GMT (13650
days)
Sign the certificate? [y/n]:
which gives correct "certificate valid until" date, but Not After is
messed up. If I go 10x that amount, both numbers will be wrong,
adamm at mira:/tmp/t$ openssl ca -in t -out cert.pem -keyfile privkey.pem
-selfsign -days 136500 -outdir `pwd`
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for privkey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Nov 6 16:19:23 2007 GMT
Not After : Apr 7 20:54:35 1973 GMT
Subject:
countryName = CA
stateOrProvinceName = Man
organizationName = Widget
organizationalUnitName = test
commonName = zombino
emailAddress = test at galsoft.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7
X509v3 Authority Key Identifier:
keyid:E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7
Certificate is to be certified until Apr 7 20:54:35 1973 GMT (136500
days)
Sign the certificate? [y/n]:
I know that OpenSSL library uses different structures on the inside to
represent dates, but I'm not sure what openssl (utility is doing).
- Adam
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (900, 'unstable'), (5, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-1-k7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl depends on:
ii libc6 2.6.1-5 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8e-9 SSL shared libraries
ii zlib1g 1:1.2.3.3.dfsg-6 compression library - runtime
openssl recommends no packages.
-- no debconf information
More information about the Pkg-openssl-devel
mailing list