From c3c0116bed3c9f82de2f4cde6c86f78037036a5d Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 27 Feb 2020 11:43:35 +0100
Subject: [PATCH] generate_webpage_certificate(): Include the time in the
 serial number

... to make sure the serial number changes when the certificate
is regenerated.

Sponsored by: Robert Klemme
---
 ssl.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ssl.c b/ssl.c
index aa4f9cd3..55269ddb 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1475,14 +1475,17 @@ static int generate_webpage_certificate(struct client_state *csp)
     * We must compute length of serial number in string + terminating null.
     */
    unsigned long certificate_serial = get_certificate_serial(csp);
-   int serial_num_size = snprintf(NULL, 0, "%lu", certificate_serial) + 1;
+   unsigned long certificate_serial_time = (unsigned long)time(NULL);
+   int serial_num_size = snprintf(NULL, 0, "%lu%lu",
+      certificate_serial_time, certificate_serial) + 1;
    if (serial_num_size <= 0)
    {
       serial_num_size = 1;
    }
 
    char serial_num_text[serial_num_size];  /* Buffer for serial number */
-   ret = snprintf(serial_num_text, (size_t)serial_num_size, "%lu", certificate_serial);
+   ret = snprintf(serial_num_text, (size_t)serial_num_size, "%lu%lu",
+      certificate_serial_time, certificate_serial);
    if (ret < 0 || ret >= serial_num_size)
    {
       log_error(LOG_LEVEL_ERROR,
-- 
2.39.2