From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: [pve-devel] applied: [PATCH common] cert: fix invalid CSR version
Date: Thu, 20 Apr 2023 14:32:30 +0200 [thread overview]
Message-ID: <1681993915.hw21npir87.astroid@yuna.none> (raw)
In-Reply-To: <20230331161224.1499336-1-m.limbeck@proxmox.com>
thanks! (and sorry for the delay)
On March 31, 2023 6:12 pm, Mira Limbeck wrote:
> According to rfc2986 the only valid version is 0. No newer rfc changed
> that.
> See section 4.1:
> https://www.rfc-editor.org/rfc/rfc2986#section-4.1
>
> Manually verifying the CSR with openssl results in the following error:
> ```
> $ openssl req -in bad.csr -text -noout
> Certificate Request:
> Data:
> Version: Unknown (2)
> ```
>
> Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
> ---
> I wasn't able to create a test setup where I could test this yet, will
> try again on monday.
>
> Stoiko tested it on his setup with Let's Encrypt Staging and it worked
> fine. Although he didn't extract the CSR to verify it.
>
> A customer reported the issue in the enterprise support portal and
> provided the fix as well.
>
> src/PVE/Certificate.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
> index 4ce7364..f67f6cd 100644
> --- a/src/PVE/Certificate.pm
> +++ b/src/PVE/Certificate.pm
> @@ -430,7 +430,7 @@ sub generate_csr {
>
> $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
>
> - $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2);
> + $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0);
>
> $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md);
>
> --
> 2.30.2
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
prev parent reply other threads:[~2023-04-20 12:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-31 16:12 [pve-devel] " Mira Limbeck
2023-04-03 12:13 ` Mira Limbeck
2023-04-20 12:32 ` Fabian Grünbichler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1681993915.hw21npir87.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.