[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #8443 [Tor]: SSL handshake filtered when MAX_SSL_KEY_LIFETIME_ADVERTISED is 365 days
#8443: SSL handshake filtered when MAX_SSL_KEY_LIFETIME_ADVERTISED is 365 days
------------------------+---------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: needs_revision
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: tor-bridge | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by arma):
I've been thinking something like
{{{
@@ -632,7 +633,7 @@ tor_tls_create_certificate(crypto_pk_t *rsa,
tor_tls_init();
- start_time = time(NULL);
+ start_time = time(NULL) - crypto_rand_int(cert_lifetime);
tor_assert(rsa);
tor_assert(cname);
@@ -667,7 +668,7 @@ tor_tls_create_certificate(crypto_pk_t *rsa,
if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
goto error;
- end_time = start_time + cert_lifetime;
+ end_time = time(NULL) + cert_lifetime;
if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
goto error;
if (!X509_set_pubkey(x509, pkey))
}}}
would be wise, and sufficient to get rid of my "gosh, your cert was born
within the past 2 hours" worry. It's sort of a hack though -- it makes
your cert valid for 1 to 365 days in the
future, and 0 to that-previous-number days in the past.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8443#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs