From aff9f77a4df808dadc3c871c170712d8bd1584e6 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Wed, 23 Sep 2020 14:26:56 +0200 Subject: [PATCH] OpenSSL: Use %y instead of %Y in VALID_DATETIME_FMT Otherwise OpenSSL uses the GENERALIZEDTIME ASN.1 encoding which results in LibreSSL-based clients rejecting the certificate because they want the UTCTIME encoding if the year is before 2050. Example: fk@openbsd ~ $curl https://www.electrobsd.org/ curl: (60) SSL certificate problem: format error in certificate's notBefore field [...] --- openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl.c b/openssl.c index d911aff9..4a0e23b3 100644 --- a/openssl.c +++ b/openssl.c @@ -55,7 +55,7 @@ #define CERTIFICATE_AUTHORITY_KEY "keyid:always" #define CERTIFICATE_ALT_NAME_PREFIX "DNS:" #define CERTIFICATE_VERSION 2 -#define VALID_DATETIME_FMT "%Y%m%d%H%M%SZ" +#define VALID_DATETIME_FMT "%y%m%d%H%M%SZ" #define VALID_DATETIME_BUFLEN 16 static int generate_webpage_certificate(struct client_state *csp); -- 2.39.2