Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #10266] "Not after" value overflows in X509 certificates on RHEL5 #3466

Closed
icinga-migration opened this issue Oct 2, 2015 · 4 comments
Labels
bug
Milestone

Comments

@icinga-migration
Copy link
Member

@icinga-migration icinga-migration commented Oct 2, 2015

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10266

Created by mfriedrich on 2015-10-02 09:41:28 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2015-10-02 15:15:33 +00:00)
Target Version: 2.3.11
Last Update: 2015-10-13 10:21:05 +00:00 (in Redmine)

Icinga Version: 2.4.0
Backport?: Already backported
Include in Changelog: 1

# openssl x509 -text -in /etc/icinga2/pki/diamx1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Icinga CA
Validity
Not Before: Oct 2 06:56:38 2015 GMT
Not After : Aug 19 00:28:22 1909 GMT
Subject: CN=diamx1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)

http://serverfault.com/questions/355423/openssl-req-sets-wrong-not-after-date-overflow-bug

We should just lower the default expiration date from 30y to a more sane value.

Changesets

2015-10-02 10:11:21 +00:00 by mfriedrich f0a5a0c

Fix openssl certificate not after overflow on rhel5

refs #10266

2015-10-13 10:20:57 +00:00 by mfriedrich 72c19fe

Fix openssl certificate not after overflow on rhel5

refs #10266
@icinga-migration

This comment has been minimized.

Copy link
Member Author

@icinga-migration icinga-migration commented Oct 2, 2015

Updated by mfriedrich on 2015-10-02 10:12:51 +00:00

  • Icinga Version changed from 2 to 2

Hm, apparently it only affects the git master, not 2.3.10 and also not only 32bit centos5, also x64.

And it seems, only certificates generated with new-cert, but not the ones coming from 'api setup'. strange.

[root@3d9f4b145bc8 test]# icinga2 pki new-cert --cn `hostname` --key `hostname`.key --cert `hostname`.crt
information/base: Writing private key to '3d9f4b145bc8.key'.
information/base: Writing X509 certificate to '3d9f4b145bc8.crt'.
[root@3d9f4b145bc8 test]# openssl x509 -text -in 3d9f4b145bc8.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=3d9f4b145bc8
        Validity
            Not Before: Oct  2 10:01:24 2015 GMT
            Not After : Aug 19 03:33:08 1909 GMT
        Subject: CN=3d9f4b145bc8
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):

https://mta.openssl.org/pipermail/openssl-users/2015-July/001783.html

@icinga-migration

This comment has been minimized.

Copy link
Member Author

@icinga-migration icinga-migration commented Oct 2, 2015

Updated by mfriedrich on 2015-10-02 15:15:33 +00:00

  • Subject changed from openssl certificate not after overflow on rhel5 32 bit to openssl certificate not after overflow on rhel5
  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

No idea which change introduced the overflow, but apparently I read an article where setting the expiration that long isn't a good idea either. Lowering the value to 15y solves the issue.

[root@6b2d078a102f test]# icinga2 pki new-cert --cn `hostname` --key `hostname`.key --cert `hostname`.crt
information/base: Writing private key to '6b2d078a102f.key'.
information/base: Writing X509 certificate to '6b2d078a102f.crt'.
[root@6b2d078a102f test]# openssl x509 -text -in 6b2d078a102f.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=6b2d078a102f
        Validity
            Not Before: Oct  2 15:13:18 2015 GMT
            Not After : Sep 28 15:13:18 2030 GMT
        Subject: CN=6b2d078a102f
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
@icinga-migration

This comment has been minimized.

Copy link
Member Author

@icinga-migration icinga-migration commented Oct 13, 2015

Updated by gbeutner on 2015-10-13 10:20:46 +00:00

  • Subject changed from openssl certificate not after overflow on rhel5 to "Not after" value overflows in X509 certificates on RHEL5
@icinga-migration

This comment has been minimized.

Copy link
Member Author

@icinga-migration icinga-migration commented Oct 13, 2015

Updated by gbeutner on 2015-10-13 10:21:05 +00:00

  • Target Version changed from 2.4.0 to 2.3.11
  • Backport? changed from TBD to Yes
@icinga-migration icinga-migration added this to the 2.3.11 milestone Jan 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.