Project

General

Profile

Actions

Regression #11504

closed

CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM

Added by Steve Wheeler over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
02/22/2021
Due date:
% Done:

100%

Estimated time:
Release Notes:
Affected Plus Version:
21.02
Affected Architecture:
SG-1000, SG-3100

Description

The expiry date rolls over and is shown as some time in that past. pfSense see it as expired/invalid. See attachment.

This looks like a regression since: https://redmine.pfsense.org/issues/9100


Files

image (110).png (223 KB) image (110).png Steve Wheeler, 02/22/2021 04:52 PM
Actions #1

Updated by Jim Pingle over 3 years ago

  • Target version changed from 21.05 to Plus-Next

Looks like this is from the validTo date in the parsed details using a four digit date and the code assumed a two digit date. Looks like it can be either one in certs so I added a check to fall back to the other method. Fix coming shortly.

Actions #2

Updated by Jim Pingle over 3 years ago

When applying the patch for this, you will probably need to apply cb17faca3b07197db4b1eb1502a876873ddc222c first and then 16c1d390188f6e1573fe05e4e8cf7cf550fad237

Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Max Leighton over 3 years ago

bdaa35dcf31def521ba8c60c0aa9c41bf5005311 is working when applied to 21.02p1 on an SG-3100. The change hasn't made it into the latest development snapshots of pfSense+ so I will leave it open for now.

Actions #5

Updated by Jim Pingle over 3 years ago

  • Target version changed from Plus-Next to 21.02.2

Needs re-tested on snapshots.

If needed, I have a user-supplied certificate which can replicate the problem and can provide a copy internally (not on Redmine).

Actions #6

Updated by Marcos M over 3 years ago

Tested on 21.02p1 and it showed as invalid. After updating to latest dev build image (Mar 10), the cert no longer showed as invalid. This was on:

21.05-DEVELOPMENT (arm)
built on Wed Mar 10 01:03:47 EST 2021
FreeBSD 12.2-STABLE

Once a snapshot is available on 21.02p2, I can test on that as well.

Actions #7

Updated by Marcos M over 3 years ago

Confirmed working on 21.02.2

Actions #8

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved
Actions #9

Updated by Jim Pingle over 3 years ago

  • Subject changed from CA/Cert valid end dates after 2038 are invalid on arm32 to CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM

Updating subject for release notes.

Actions

Also available in: Atom PDF