upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 13:50:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Set the ephemeral certificate's "not before" a short time in the past

Browse source 
TLS clients can have their clock a short time in the past which will
result in not being able to validate the certificate.

Setting the "not before" property 5 minutes in the past will
accommodate with some possible clock skew across systems.

(cherry picked from commit 81d3584116)
This commit is contained in:
Aram Sargsyan 2022-01-11 09:07:34 +00:00 committed by Arаm Sаrgsyаn
parent e82c8c6105
commit 3d835107af
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
lib/isc/tls.c
View file

@ -394,11 +394,16 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
ASN1_INTEGER_set(X509_get_serialNumber(cert),
(long)isc_random32());
/*
* Set the "not before" property 5 minutes into the past to
* accommodate with some possible clock skew across systems.
*/
#if OPENSSL_VERSION_NUMBER < 0x10101000L
X509_gmtime_adj(X509_get_notBefore(cert), 0);
X509_gmtime_adj(X509_get_notBefore(cert), -300);
#else
X509_gmtime_adj(X509_getm_notBefore(cert), 0);
X509_gmtime_adj(X509_getm_notBefore(cert), -300);
#endif
/*
* We set the vailidy for 10 years.
*/