Bug #13424
closed
CRL expiration date with default lifetime is too long, goes past UTCTime limit
Added by Jim Pingle over 1 year ago.
Updated over 1 year ago.
Plus Target Version:
23.01
Description
The default lifetime on internal CRLs is 9999 which as of now lands the expiration of a CRL past 2050. The CRL library uses a UTCTime string for dates which has a 2-digit year and 2050 dates, shortened to 50, are rolled back to 1950.
Reducing the default lifetime of internal CRLs is safe as they are regenerated as needed not manually, they would rarely approach any CRL expiration date as any time a CRL consumer service restarts it refreshes the CRL contents and gets a fresh expiration date.
2 years (730 days) should be more than sufficient.
Also the backend code should reduce the maximum allowed CRL lifetime so it doesn't cross that time barrier.
This is affecting production systems using CRLs so any fix should also be added to the system patches package so affected users can apply the fix ASAP.
Files
Applied diff manually.
Restarted OpenVPN server service, bingo, it works!
Thanks!
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
The patch has been committed into the System Patches package and will be available to users there soon once some work on the build system is complete.
In the meantime, users can install the System Patches package and then create an entry for a3c1589086ea67d25a28ec14ab95d7fd9ab25fa2 to apply the fix immediately.
Tested the patch:
22.05-RELEASE (amd64)
built on Wed Jun 22 18:56:13 UTC 2022
FreeBSD 12.3-STABLE
1. The lifetime of the newly created CRLs is 730 days.
2. The backend code didn't allow me to define a lifetime longer than 8996 days.
Yet, the CRL I defined before applying the patch still has a lifetime of 9999 days (at least that's listed in the config.xml file). Shouldn't that be reduced after applying the patch automatically?
The patch does not alter the configuration or lifetimes of existing entries, it (a) reduces the default for new CRL entries, (b) prevents a user from manually setting a lifetime too large, and (c) ensures no CRL is generated with a lifetime near the limit, even if configured to do so.
It has protections in place for both the 2050 rollover for all platforms as well as 2038 rollover for 32-bit platforms.
The fix doesn't work after turning off pfsense. After switching on, the error repeats. Restarting the vpn service or the entire pfsense server helps, but after shutting down everything repeats.
I can't reproduce that here. Start a thread on the forum to discuss your problem further.
- Status changed from Feedback to Resolved
Tested on
22.05-RELEASE (amd64)
built on Wed Jun 22 18:56:13 UTC 2022
FreeBSD 12.3-STABLE
Marking resolved.
- Plus Target Version changed from 22.11 to 23.01
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by