From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 23 Sep 2020 12:26:56 +0000 (+0200)
Subject: OpenSSL: Use %y instead of %Y in VALID_DATETIME_FMT
X-Git-Tag: v_3_0_29~88
X-Git-Url: http://www.privoxy.org/gitweb/%22https:/@default-cgi@/user-manual/static/@default-cgi@toggle?a=commitdiff_plain;h=aff9f77a4df808dadc3c871c170712d8bd1584e6;p=privoxy.git

OpenSSL: Use %y instead of %Y in VALID_DATETIME_FMT

Otherwise OpenSSL uses the GENERALIZEDTIME ASN.1 encoding
which results in LibreSSL-based clients rejecting
the certificate because they want the UTCTIME encoding
if the year is before 2050.

Example:

    fk@openbsd ~ $curl https://www.electrobsd.org/
    curl: (60) SSL certificate problem: format error in certificate's notBefore field
    [...]
---

diff --git a/openssl.c b/openssl.c
index d911aff9..4a0e23b3 100644
--- a/openssl.c
+++ b/openssl.c
@@ -55,7 +55,7 @@
 #define CERTIFICATE_AUTHORITY_KEY                "keyid:always"
 #define CERTIFICATE_ALT_NAME_PREFIX              "DNS:"
 #define CERTIFICATE_VERSION                      2
-#define VALID_DATETIME_FMT                       "%Y%m%d%H%M%SZ"
+#define VALID_DATETIME_FMT                       "%y%m%d%H%M%SZ"
 #define VALID_DATETIME_BUFLEN                    16
 
 static int generate_webpage_certificate(struct client_state *csp);