generate_webpage_certificate(): Include the time in the serial number
authorFabian Keil <fk@fabiankeil.de>
Thu, 27 Feb 2020 10:43:35 +0000 (11:43 +0100)
committerFabian Keil <fk@fabiankeil.de>
Fri, 28 Feb 2020 06:31:27 +0000 (07:31 +0100)
... to make sure the serial number changes when the certificate
is regenerated.

Sponsored by: Robert Klemme

ssl.c

diff --git a/ssl.c b/ssl.c
index aa4f9cd..55269dd 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -1475,14 +1475,17 @@ static int generate_webpage_certificate(struct client_state *csp)
     * We must compute length of serial number in string + terminating null.
     */
    unsigned long certificate_serial = get_certificate_serial(csp);
-   int serial_num_size = snprintf(NULL, 0, "%lu", certificate_serial) + 1;
+   unsigned long certificate_serial_time = (unsigned long)time(NULL);
+   int serial_num_size = snprintf(NULL, 0, "%lu%lu",
+      certificate_serial_time, certificate_serial) + 1;
    if (serial_num_size <= 0)
    {
       serial_num_size = 1;
    }
 
    char serial_num_text[serial_num_size];  /* Buffer for serial number */
-   ret = snprintf(serial_num_text, (size_t)serial_num_size, "%lu", certificate_serial);
+   ret = snprintf(serial_num_text, (size_t)serial_num_size, "%lu%lu",
+      certificate_serial_time, certificate_serial);
    if (ret < 0 || ret >= serial_num_size)
    {
       log_error(LOG_LEVEL_ERROR,