From: Phil Pennock <pdp@exim.org>
Date: Thu, 12 Jul 2012 22:42:08 +0000 (-0700)
Subject: Doc note re 9999 days & 32bit time (SSL certs)
X-Git-Tag: exim-4_81_RC1~42
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/1dec42400b8243809625f0e18e0aa626ee708e16

Doc note re 9999 days & 32bit time (SSL certs)

Thanks to Jay Rouman for highlighting that there can be rollover.
I have chosen *not* to reduce the duration, but to leave it and instead
provoke thought on the part of those deploying systems, if this bites them.
---

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 579c112c9..140d8f993 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -25866,6 +25866,8 @@ install if the receiving end is a client MUA that can interact with a user.
 .cindex "certificate" "self-signed"
 You can create a self-signed certificate using the &'req'& command provided
 with OpenSSL, like this:
+. ==== Do not shorten the duration here without reading and considering
+. ==== the text below.  Please leave it at 9999 days.
 .code
 openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 \
             -days 9999 -nodes
@@ -25878,6 +25880,22 @@ that you are prompted for, and any use that is made of the key causes more
 prompting for the passphrase. This is not helpful if you are going to use
 this certificate and key in an MTA, where prompting is not possible.
 
+. ==== I expect to still be working 26 years from now.  The less technical
+. ==== debt I create, in terms of storing up trouble for my later years, the
+. ==== happier I will be then.  We really have reached the point where we
+. ==== should start, at the very least, provoking thought and making folks
+. ==== pause before proceeding, instead of leaving all the fixes until two
+. ==== years before 2^31 seconds after the 1970 Unix epoch.
+. ==== -pdp, 2012
+NB: we are now past the point where 9999 days takes us past the 32-bit Unix
+epoch.  If your system uses unsigned time_t (most do) and is 32-bit, then
+the above command might produce a date in the past.  Think carefully about
+the lifetime of the systems you're deploying, and either reduce the duration
+of the certificate or reconsider your platform deployment.  (At time of
+writing, reducing the duration is the most likely choice, but the inexorable
+progression of time takes us steadily towards an era where this will not
+be a sensible resolution).
+
 A self-signed certificate made in this way is sufficient for testing, and
 may be adequate for all your requirements if you are mainly interested in
 encrypting transfers, and not in secure identification.
diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS
index 6af3db899..75f0268a8 100644
--- a/src/ACKNOWLEDGMENTS
+++ b/src/ACKNOWLEDGMENTS
@@ -427,6 +427,7 @@ Dan Rosenberg             Security notification & patch for hardlink attack on
                             sticky mail directory
                           Security notification of race condition in MBX locking
 Jay Rouman                Kept our copyright claim in the 21st century, not 11th
+                          Drew attention to SSL docs and epoch issue on 32bit
 Heiko Schlittermann       Patch making maildir_use_size_file expand
                           Patch fixing maildir quota file races
                           Patch fixing make parallelisation