On 07/16/2014 11:24 AM, Salz, Rich wrote:
>> do you realistically think we'll ever drop support for the -days argument
>> though? Dropping -days would break a million scripts.
>
> No, we'll never drop support for -days. But whether the code is atoi() or
> atof() is a big difference and might cause important silent failures for new
> scripts running on anything other than the most recent openssl. On most
> systems atoi("0.5") returns 0 and no error indicator so "-days 0.5" would
> silently do the wrong thing on anything other than openssl 1.0.whatever
> Which seems much worse.
ugh, you're quite right. Sorry, i wasn't thinking about the support
hassle in that direction.
And to make matters worse, "openssl req -x509" currently interprets
"-days 0" or "-days 0.5" or "-days PT1800S" as "use the default number
of days", which is 30. :/ From experimentation, i just discovered that
-days is also happy to accept and interpret negative integer arguments
as well, resulting in a key with ValidNotBefore later than ValidNotAfter
:( not even an error message to let you know that you've just created a
certificate that no validation stack in its right mind should ever accept.
I withdraw my support for making -days take a fractional argument, given
the behavior of the existing deployed base.
--dkg
signature.asc
Description: PGP signature
