#1293 Expired certificates

closed-fixed
9
2013-01-22
2011-11-04
No

The certificates 'receiver.crt' and 'transmitter.crt' have expired, causing test failures in modules 'comm' and 'pop3' if 'tcltls' is installed at the time the test suite is run.
Also, the README in the devtools directory mentions that only the 'pop3' tests use these files, which is not true, as noted above.
Please regen these certs with much later expiry dates.

Discussion

  • Andreas Kupries

    Andreas Kupries - 2011-11-09
    • status: open --> open-fixed
     
  • Andreas Kupries

    Andreas Kupries - 2011-11-09

    Updated the certs. SimpleCA does not (seem to) allow me to specify an expiration date, it seems to be fixed to a single year. Updated the README.

     
  • eee

    eee - 2013-01-10

    There are still expired certificates in various places.

    examples/smtpd/server-public.pem expired Sep/10/2012 (and appears to be a CA root cert?)

    examples/transfer/certs/receiver.crt expired Apr/08/2010,
    examples/transfer/certs/transmitter.crt expired Apr/08/2010,
    but examples/transfer/certs/ca.crt is good for another six years, and is a CA root cert.

    modules/devtools/receiver.crt expired Nov/08/2012,
    modules/devtools/transmitter.crt expired Nov/08/2012,
    but modules/devtools/ca.crt is good for another 8 years, and is a CA root cert.

    It should be fairly trivial to modify SimpleCA to fix certificates to a ten year lifetime instead of one year, and if you do that I recommend going to 4096 bits as well.

     
  • eee

    eee - 2013-01-11

    Bumping pri to 9 per aku

     
  • eee

    eee - 2013-01-11
    • priority: 5 --> 9
     
  • Andreas Kupries

    Andreas Kupries - 2013-01-21
    • status: open-fixed --> open
     
  • Andreas Kupries

    Andreas Kupries - 2013-01-21

    Committed rev [7b80198969]. 10 year certs, 4096bits.
    The README was ok, listing both "comm" and "pop3" as users.

    ... Grr ... Should not have committed ... I still see errors with the new certs, in the two test suites :(
    Claims cert expired. SimpleCA otoh claims valid until 2023.
    Will have to dig deeper, again :(
    Tempted to make 100yr certs, after I understand the continued failure.

    Now how do I again tell TclTLS how to spit out more internal data about the cert verification ?

     
  • Andreas Kupries

    Andreas Kupries - 2013-01-22

    Found my problem. I extended the root cert validity period also, to 100 years, and this screwed things. I suspect a y2038 problem (aka 32/64 time_t). Going back to 10 years root cert (+10 days), and the result worked.

    We now have 10 year certs, at 1024 bit.

     
  • Andreas Kupries

    Andreas Kupries - 2013-01-22
    • status: open --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks