Use serial number 1 for self-generated selfsigned certificate
authorJeremy Harris <jgh146exb@wizmail.org>
Thu, 24 May 2018 15:31:27 +0000 (16:31 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Thu, 24 May 2018 15:31:27 +0000 (16:31 +0100)
Broken-by: 23bb69826c
(cherry picked from commit 1613fd68b5931757016c3c25fdc3b0f37827e7f1)

doc/doc-txt/ChangeLog
src/src/tls-gnu.c
src/src/tls-openssl.c

index c6f3417375cb534ce42f0200b8f6fdd500203fcb..3edcb12fd63d58ca0a7be7f0dd116e15665d42fe 100644 (file)
@@ -28,6 +28,9 @@ JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
       releases a lock) for that case, while creating the temporary .eml format
       file for the MIME ACL.  Also applies to "regex" and "spam" ACL conditions.
 
+JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
+      legitimate.
+
 
 Exim version 4.91
 -----------------
index 35816cd6030fd41dc237280ce60400d0a11dd2e8..08c1d939ee4f5c35a2064668878c3c033aad826c 100644 (file)
@@ -790,7 +790,7 @@ if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
   goto err;
 
 where = US"configuring cert";
-now = 0;
+now = 1;
 if (  (rc = gnutls_x509_crt_set_version(cert, 3))
    || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
    || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
index cefa94fecb1526ed94999ca2674ae0b3499b0fdf..068a0d872868a881e68a6507fa4fc31960a23d6e 100644 (file)
@@ -1000,7 +1000,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa))
   goto err;
 
 X509_set_version(x509, 2);                             /* N+1 - version 3 */
-ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
+ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
 X509_gmtime_adj(X509_get_notBefore(x509), 0);
 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60);       /* 1 hour */
 X509_set_pubkey(x509, pkey);