From 1613fd68b5931757016c3c25fdc3b0f37827e7f1 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 24 May 2018 16:28:20 +0100 Subject: [PATCH 1/1] Use serial number 1 for self-generated selfsigned certificate Broken-by: 23bb69826c --- doc/doc-txt/ChangeLog | 3 +++ src/src/tls-gnu.c | 2 +- src/src/tls-openssl.c | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index e4d1719ec..261c56528 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -43,6 +43,9 @@ JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting $sender_verify_failure/$recipient_verify_failure to "random". +JH/08 When generating a selfsigned cert, use serial number 1 since zero is not + legitimate. + Exim version 4.91 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 35816cd60..08c1d939e 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -790,7 +790,7 @@ if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA, goto err; where = US"configuring cert"; -now = 0; +now = 1; if ( (rc = gnutls_x509_crt_set_version(cert, 3)) || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now))) || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL))) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e69b64ce0..db48c9451 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1000,7 +1000,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa)) goto err; X509_set_version(x509, 2); /* N+1 - version 3 */ -ASN1_INTEGER_set(X509_get_serialNumber(x509), 0); +ASN1_INTEGER_set(X509_get_serialNumber(x509), 1); X509_gmtime_adj(X509_get_notBefore(x509), 0); X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */ X509_set_pubkey(x509, pkey); -- 2.30.2