Project

General

Profile

Regression #11504

CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM

Added by Steve Wheeler about 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
02/22/2021
Due date:
% Done:

100%

Estimated time:
Affected Plus Version:
21.02
Affected Architecture:
SG-1000, SG-3100
Release Notes:
Default

Description

The expiry date rolls over and is shown as some time in that past. pfSense see it as expired/invalid. See attachment.

This looks like a regression since: https://redmine.pfsense.org/issues/9100

image (110).png (223 KB) image (110).png Steve Wheeler, 02/22/2021 04:52 PM

Associated revisions

Revision bdaa35dc (diff)
Added by Jim Pingle about 2 months ago

Try parsing four digit years in cert timestamps. Fixes #11504

Revision 16c1d390 (diff)
Added by Jim Pingle about 2 months ago

Try parsing four digit years in cert timestamps. Fixes #11504

(cherry picked from commit bdaa35dcf31def521ba8c60c0aa9c41bf5005311)

History

#1 Updated by Jim Pingle about 2 months ago

  • Target version changed from 21.05 to Plus-Next

Looks like this is from the validTo date in the parsed details using a four digit date and the code assumed a two digit date. Looks like it can be either one in certs so I added a check to fall back to the other method. Fix coming shortly.

#2 Updated by Jim Pingle about 2 months ago

When applying the patch for this, you will probably need to apply cb17faca3b07197db4b1eb1502a876873ddc222c first and then 16c1d390188f6e1573fe05e4e8cf7cf550fad237

#3 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Max Leighton about 1 month ago

bdaa35dcf31def521ba8c60c0aa9c41bf5005311 is working when applied to 21.02p1 on an SG-3100. The change hasn't made it into the latest development snapshots of pfSense+ so I will leave it open for now.

#5 Updated by Jim Pingle about 1 month ago

  • Target version changed from Plus-Next to 21.02.2

Needs re-tested on snapshots.

If needed, I have a user-supplied certificate which can replicate the problem and can provide a copy internally (not on Redmine).

#6 Updated by Marcos Mendoza about 1 month ago

Tested on 21.02p1 and it showed as invalid. After updating to latest dev build image (Mar 10), the cert no longer showed as invalid. This was on:

21.05-DEVELOPMENT (arm)
built on Wed Mar 10 01:03:47 EST 2021
FreeBSD 12.2-STABLE

Once a snapshot is available on 21.02p2, I can test on that as well.

#7 Updated by Marcos Mendoza about 1 month ago

Confirmed working on 21.02.2

#8 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

#9 Updated by Jim Pingle about 1 month ago

  • Subject changed from CA/Cert valid end dates after 2038 are invalid on arm32 to CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM

Updating subject for release notes.

Also available in: Atom PDF