From 3b9730e3deaf4eb03a99977d830da446dcc85cfb Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 24 May 2018 16:31:27 +0100 Subject: [PATCH] Use serial number 1 for self-generated selfsigned certificate Broken-by: 23bb69826c (cherry picked from commit 1613fd68b5931757016c3c25fdc3b0f37827e7f1) --- doc/doc-txt/ChangeLog | 3 +++ src/src/tls-gnu.c | 2 +- src/src/tls-openssl.c | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c6f341737..3edcb12fd 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -28,6 +28,9 @@ JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and releases a lock) for that case, while creating the temporary .eml format file for the MIME ACL. Also applies to "regex" and "spam" ACL conditions. +JH/08 When generating a selfsigned cert, use serial number 1 since zero is not + legitimate. + Exim version 4.91 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 35816cd60..08c1d939e 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -790,7 +790,7 @@ if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA, goto err; where = US"configuring cert"; -now = 0; +now = 1; if ( (rc = gnutls_x509_crt_set_version(cert, 3)) || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now))) || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL))) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index cefa94fec..068a0d872 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1000,7 +1000,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa)) goto err; X509_set_version(x509, 2); /* N+1 - version 3 */ -ASN1_INTEGER_set(X509_get_serialNumber(x509), 0); +ASN1_INTEGER_set(X509_get_serialNumber(x509), 1); X509_gmtime_adj(X509_get_notBefore(x509), 0); X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */ X509_set_pubkey(x509, pkey); -- 2.30.2