From aff9f77a4df808dadc3c871c170712d8bd1584e6 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 23 Sep 2020 14:26:56 +0200
Subject: [PATCH] OpenSSL: Use %y instead of %Y in VALID_DATETIME_FMT

Otherwise OpenSSL uses the GENERALIZEDTIME ASN.1 encoding
which results in LibreSSL-based clients rejecting
the certificate because they want the UTCTIME encoding
if the year is before 2050.

Example:

    fk@openbsd ~ $curl https://www.electrobsd.org/
    curl: (60) SSL certificate problem: format error in certificate's notBefore field
    [...]
---
 openssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openssl.c b/openssl.c
index d911aff9..4a0e23b3 100644
--- a/openssl.c
+++ b/openssl.c
@@ -55,7 +55,7 @@
 #define CERTIFICATE_AUTHORITY_KEY                "keyid:always"
 #define CERTIFICATE_ALT_NAME_PREFIX              "DNS:"
 #define CERTIFICATE_VERSION                      2
-#define VALID_DATETIME_FMT                       "%Y%m%d%H%M%SZ"
+#define VALID_DATETIME_FMT                       "%y%m%d%H%M%SZ"
 #define VALID_DATETIME_BUFLEN                    16
 
 static int generate_webpage_certificate(struct client_state *csp);
-- 
2.39.2