Hi, I am using FreeBSD 8.2, 32bits i386, OpenSSL package: openssl-1.0.1_18 SSL and crypto library
During certificate generation, I found the bug: If request CA-lifespan too long, then expiration date drops into far past, and CA-certificate is invalid. Moreover, this is no any error message print, everything works, and this certicicate signs another client certificates. But, when I rtied login with these client certs, I received error: ssl_error_expired_cert_alert - Mozilla, Seamonkey ssl_error_bad_cert_alert - Chrome I assume, problem in the signed int overflow. See bug example following: If request 10000 days, then expiration date written in 1906! $ openssl req -new -newkey rsa:512 -nodes -keyout emc_ca.key -x509 -days 10000 \ -subj '/O=EmerCoin/OU=EMCSSL/CN=EmerCoin World Wide Web Public Key Infrastructure/[email protected]/UID=EMC' \ -out emc_ca.crt $ openssl x509 -noout -text -in emc_ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: c6:8e:ab:87:46:5d:8e:6d Signature Algorithm: sha1WithRSAEncryption Issuer: O=EmerCoin, OU=EMCSSL, CN=EmerCoin World Wide Web Public Key Infrastructure/[email protected]/UID=EMC Validity Not Before: Apr 8 13:13:06 2015 GMT Not After : Jul 19 06:44:50 1906 GMT Subject: O=EmerCoin, OU=EMCSSL, CN=EmerCoin World Wide Web Public Key Infrastructure/[email protected]/UID=EMC Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:e7:16:06:11:e2:d6:cd:ec:49:a9:93:95:19:cf: b1:fb:b5:d5:08:5c:3d:01:4a:cc:a2:20:8b:b9:0f: d2:74:ce:14:c7:a3:eb:81:80:07:aa:8b:e4:db:8b: 42:6d:cc:e6:ae:4d:3d:39:83:f7:8f:1e:93:f3:ca: 0b:3f:71:9d:11 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 26:12:7D:02:A3:2D:3A:39:96:84:FE:F3:26:62:04:9D:26:43:E5:5E X509v3 Authority Key Identifier: keyid:26:12:7D:02:A3:2D:3A:39:96:84:FE:F3:26:62:04:9D:26:43:E5:5E DirName:/O=EmerCoin/OU=EMCSSL/CN=EmerCoin World Wide Web Public Key Infrastructure/[email protected]/UID=EMC serial:C6:8E:AB:87:46:5D:8E:6D X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 54:0b:c2:62:76:6c:1d:a7:c8:15:b7:52:60:ee:a4:20:67:19: 47:f3:c1:ff:03:0c:9f:fa:fe:6d:b7:c6:1f:46:94:b5:38:5d: 67:93:02:d7:53:1b:f4:04:ba:56:ce:67:42:32:9c:ad:98:f1: 0c:6a:dc:01:ba:c2:ba:0b:01:e5 _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
