Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[openssl.org #2332] Issue while generating SSL certificate using Apache 2.216 + openssl 0.9.8o

1,189 views
Skip to first unread message

shibu nair via RT

unread,
Sep 8, 2010, 11:51:02 AM9/8/10
to
Issue while generating SSL certificate using Apache 2.216 + openssl 0.9.8o

We are facing a strange Issue while generating SSL certificate using
Apache 2.216 + openssl 0.9.8o with command

>> openssl x509 -req -passin pass:xxxx -days 9999 -in server.csr -signkey server.key –out server.crt

the script executes with following error:

Loading 'screen' into random state - done
Signature ok
subject=/CN=vdmd-inst-test2.panacya.com
Getting Private key
3344:error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting
time:.\crypto\asn1\a_time.c:109:
3344:error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting
time:.\crypto\asn1\a_time.c:109:

and generates certificate(.crt) file with 0 kb size.

We found that the error is due to the –days 9999 option. And when we
change the value 9996 this works fine. and 9999 was working fine three
date before (03-sept-2010. it seems to be issue related to the date
range.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

Wim Lewis

unread,
Sep 8, 2010, 2:10:14 PM9/8/10
to

On Sep 8, 2010, at 8:51 AM, shibu nair via RT wrote:
> We found that the error is due to the –days 9999 option. And when we
> change the value 9996 this works fine. and 9999 was working fine three
> date before (03-sept-2010. it seems to be issue related to the date
> range.

Well, January 1st, 2038 is approximately 9999 days from now, and that's when the Unix time_t overflows 31 bits. IIRC, both of the actual certificate representations (UTCTIME and GENERALIZEDTIME) can handle timestamps outside that range, but openssl's ASN1_TIME_set() takes a time_t.

Stephen Henson via RT

unread,
Sep 8, 2010, 2:42:59 PM9/8/10
to
> [shibu...@gmail.com - Wed Sep 08 17:51:01 2010]:

>
> Issue while generating SSL certificate using Apache 2.216 + openssl
> 0.9.8o
>
> We are facing a strange Issue while generating SSL certificate using
> Apache 2.216 + openssl 0.9.8o with command
>
> >> openssl x509 -req -passin pass:xxxx -days 9999 -in server.csr
> -signkey server.key –out server.crt
>
> the script executes with following error:
>
> Loading 'screen' into random state - done
> Signature ok
> subject=/CN=vdmd-inst-test2.panacya.com
> Getting Private key
> 3344:error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting
> time:.\crypto\asn1\a_time.c:109:
> 3344:error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting
> time:.\crypto\asn1\a_time.c:109:
>
> and generates certificate(.crt) file with 0 kb size.
>
> We found that the error is due to the –days 9999 option. And when we
> change the value 9996 this works fine. and 9999 was working fine three
> date before (03-sept-2010. it seems to be issue related to the date
> range.
>

OpenSSL 0.9.8 relies on the OS supplied time routines which can return
errors. In this case it is the year 2038 issue. If you use OpenSSL 1.0.0
or later it uses its own date calculations and it should work OK.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

Rich Salz via RT

unread,
Aug 14, 2014, 11:34:21 PM8/14/14
to
Yes, can't specify a date beyond 2038 :)
--
Rich Salz, OpenSSL dev team; rs...@openssl.org
0 new messages