-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509_cmp_time fails for dates that don't fit in time_t #66
Comments
There is no reason for a modern 32 bit platform to have a 32 bit time_t - if it is your operating system is going to be badly broken on dates in the near future - i.e. after January 18, 2038 In a nutshell, OpenSSL is failing defensively, because your operating system is fundamentally broken for these dates, and you will very likely have security problems "Programs that work with future dates will begin to run into problems sooner; for example a program that works with dates 20 years in the future will have to be fixed no later than 2018." : https://en.wikipedia.org/wiki/Year_2038_problem |
And in case you're wondering, I'm of an age where some jerk might end up putting some embedable linux 32 bit internet-of-shite thing in my chest as a pacemaker or something before Jan 19 2038.. I'm not going to get killed by a crappy linux freaking out then because I didn't to my darndest to get the ecosystem to fix it's problems. I want to die from my own foolish excesses. |
Thanks for your delightful response. Lets hope you (or me for that matter) will never need a pacemaker ;-) Unfortunately the software I wanted to build against LibreSSL is running with Ubuntu Trusty on armhf which only has a 32bit Anyway, thanks for your feedback and sorry for bothering you. |
Yes, indeed you'll have to stick with that, and/or be able to run the linux On Wed, Jul 27, 2016 at 4:40 PM, Joachim Bauch notifications@github.com
|
AFAICS, this is being worked around in 362ffef |
@chneukirchen - correct, the notafter date is now clamped to 2038 in the case of a 32-bit time_t. |
In de5a7bf#diff-c72c45bb1891a4148a352b678fe463d4
X509_cmp_time
has changed in that the string must be representable bytime_t
.This causes it to fail for large dates on 32bit platforms (tested on Ubuntu) where
time_t
is 32bit causing certificates that have a really far future expiration (e.g. 100 years from now) to no longer verify successfully.Such certificates verify with OpenSSL/BoringSSL.
The text was updated successfully, but these errors were encountered: