OpenSSL: Use %y instead of %Y in VALID_DATETIME_FMT
authorFabian Keil <fk@fabiankeil.de>
Wed, 23 Sep 2020 12:26:56 +0000 (14:26 +0200)
committerFabian Keil <fk@fabiankeil.de>
Sat, 26 Sep 2020 09:16:03 +0000 (11:16 +0200)
Otherwise OpenSSL uses the GENERALIZEDTIME ASN.1 encoding
which results in LibreSSL-based clients rejecting
the certificate because they want the UTCTIME encoding
if the year is before 2050.

Example:

    fk@openbsd ~ $curl https://www.electrobsd.org/
    curl: (60) SSL certificate problem: format error in certificate's notBefore field
    [...]

openssl.c

index d911aff..4a0e23b 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -55,7 +55,7 @@
 #define CERTIFICATE_AUTHORITY_KEY                "keyid:always"
 #define CERTIFICATE_ALT_NAME_PREFIX              "DNS:"
 #define CERTIFICATE_VERSION                      2
-#define VALID_DATETIME_FMT                       "%Y%m%d%H%M%SZ"
+#define VALID_DATETIME_FMT                       "%y%m%d%H%M%SZ"
 #define VALID_DATETIME_BUFLEN                    16
 
 static int generate_webpage_certificate(struct client_state *csp);