On Thu, Jun 05, 2008, Chris Kottaridis wrote: > When trying to make a certificate for 30 years seems you run into the > 2038 date limitation. Seems the code converts date to a signed int in > seconds since 1970 and now that we are within 30 years of the 2038 limit > we get hit by it. Using a date of (30 * 365) from now: > > notBefore=Mar25 19:33:38 2008 GMT > notAfter=Feb 10 13:05:22 1902 GMT > > Clearly it wrapped around and subtracted 68 years from 1970 instead of > adding 68 years. > > Is there a plan to remove this limitation ? > > I am seeing this on openssl-0.9.7m. >
As has been mentioned this is caused by the time representation of the underlying OS. OpenSSL relies on the OS routines to convert the time_t value to appropriate date fields. If the time_t value wraps around you get the above behaviour. Changing this is would involve including independent date routines which don't have this restriction. I did start on this some time ago but other higher priority tasks (e.g. paid ones!) took over. Note however that this doesn't affect OpenSSLs ability to *verify* date fields in the far future. The technique used avoids time_t issues and it should happily handle any date. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]