Use serial number 1 for self-generated selfsigned certificate

Broken-by: 23bb69826c

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e4d1719ecdb059972839c7b3293e426450b7d89a..261c5652843ce032a8df0ac4fdf085d23f472950 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -43,6 +43,9 @@ JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
 JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting
       $sender_verify_failure/$recipient_verify_failure to "random".
 
+JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
+      legitimate.
+
 
 Exim version 4.91
 -----------------

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 35816cd6030fd41dc237280ce60400d0a11dd2e8..08c1d939ee4f5c35a2064668878c3c033aad826c 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -790,7 +790,7 @@ if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
   goto err;
 
 where = US"configuring cert";
-now = 0;
+now = 1;
 if (  (rc = gnutls_x509_crt_set_version(cert, 3))
    || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
    || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e69b64ce06a34cd2b137dd22877fd50e4b0cb740..db48c9451bb0b14795c299877fb29d1b17648129 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1000,7 +1000,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa))
   goto err;
 
 X509_set_version(x509, 2);                             /* N+1 - version 3 */
-ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
+ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
 X509_gmtime_adj(X509_get_notBefore(x509), 0);
 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60);       /* 1 hour */
 X509_set_pubkey(x509, pkey);