On Thu, Apr 12, 2007, Ralf Hauser wrote: > to secure my mysql, I use Monty's script as per > http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html > > openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \ > -days $CADAYS -config $DIR/openssl.cnf > > > When I set the CADAYS to "36000" i.e. about 100 years, I get > > Validity > Not Before: Apr 11 09:22:07 2007 GMT > Not After : Sep 27 02:53:51 1969 GMT > > > Isn't that kind of a denial of service or a new variant of the Y2K? >
The -days option relies on the system time routines to calculate the new date. This uses a time_t value which is usually 32 bits and sometimes signed. If the result becomes negative you can get results like the above. OpenSSL can compare validity dates with any value it just can't currently create them with the -days option. Ticket #767 has a reference to this. I never got round to fixing it... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
