Ubuntu
openssl package

error creating certificate which expires after 2038 on 32-bit architectures

Bug #771264 reported by bitinerant
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: openvpn

When generating a new certificate, if the variables CA_EXPIRE or KEY_EXPIRE put the expiration date after 19-Jan-2038, then pkitool will create a certificate which expires around 1902 and also corrupt keys/index.txt so that the next certificate to be generated will receive the error "entry nn: invalid expiry date" and fail.

Tags: i386
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hi bitinerant, thanks for taking the time to file this bug report and help us make Ubuntu better.

This is confirmed, but only on i386. 64-bit architectures produce the appropriate certificate.

I also believe this may be fixed in OpenSSL 1.0.0 [1], which is in Oneiric as of today. I will build a test i386 chroot and confirm that fix as well.

Marking Confirmed, setting Importance to Medium. Also reassigning to openssl.

--
[1] http://www.openssl.org/news/changelog.html

Changed in openvpn (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
summary: - error creating certificate which expires after 2038
+ error creating certificate which expires after 2038 on 32-bit
+ architectures
affects: openvpn (Ubuntu) → openssl (Ubuntu)
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

This problem is, indeed, fixed in Oneiric by OpenSSL 1.0.0.

Its likely we'll choose not to backport these fixes to Maverick/Natty, and Hardy seems a bit old for it as well. But Given that Lucid will be in service until 2015, it *might* be worth backporting.

I've opened all of the tasks as New.. but this is more to document the status in each release.

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
tags: added: i386
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against hardy is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in openssl (Ubuntu Hardy):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against maverick is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in openssl (Ubuntu Maverick):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against natty is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in openssl (Ubuntu Natty):
status: New → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in openssl (Ubuntu Lucid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.