From 3d835107af042bc716879183f53170a67a60d6c0 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Tue, 11 Jan 2022 09:07:34 +0000
Subject: [PATCH] Set the ephemeral certificate's "not before" a short time in
 the past

TLS clients can have their clock a short time in the past which will
result in not being able to validate the certificate.

Setting the "not before" property 5 minutes in the past will
accommodate with some possible clock skew across systems.

(cherry picked from commit 81d3584116a1f06a5d7e09bb438be4d845378c48)
---
 lib/isc/tls.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 35b8a1277e..c15e596911 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -394,11 +394,16 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 		ASN1_INTEGER_set(X509_get_serialNumber(cert),
 				 (long)isc_random32());
 
+		/*
+		 * Set the "not before" property 5 minutes into the past to
+		 * accommodate with some possible clock skew across systems.
+		 */
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
-		X509_gmtime_adj(X509_get_notBefore(cert), 0);
+		X509_gmtime_adj(X509_get_notBefore(cert), -300);
 #else
-		X509_gmtime_adj(X509_getm_notBefore(cert), 0);
+		X509_gmtime_adj(X509_getm_notBefore(cert), -300);
 #endif
+
 		/*
 		 * We set the vailidy for 10 years.
 		 */