From: Mira Limbeck <m.limbeck@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH common] cert: fix invalid CSR version
Date: Fri, 31 Mar 2023 18:12:24 +0200 [thread overview]
Message-ID: <20230331161224.1499336-1-m.limbeck@proxmox.com> (raw)
According to rfc2986 the only valid version is 0. No newer rfc changed
that.
See section 4.1:
https://www.rfc-editor.org/rfc/rfc2986#section-4.1
Manually verifying the CSR with openssl results in the following error:
```
$ openssl req -in bad.csr -text -noout
Certificate Request:
Data:
Version: Unknown (2)
```
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
I wasn't able to create a test setup where I could test this yet, will
try again on monday.
Stoiko tested it on his setup with Let's Encrypt Staging and it worked
fine. Although he didn't extract the CSR to verify it.
A customer reported the issue in the enterprise support portal and
provided the fix as well.
src/PVE/Certificate.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
index 4ce7364..f67f6cd 100644
--- a/src/PVE/Certificate.pm
+++ b/src/PVE/Certificate.pm
@@ -430,7 +430,7 @@ sub generate_csr {
$cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
- $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2);
+ $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0);
$cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md);
--
2.30.2
next reply other threads:[~2023-03-31 16:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-31 16:12 Mira Limbeck [this message]
2023-04-03 12:13 ` Mira Limbeck
2023-04-20 12:32 ` [pve-devel] applied: " Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230331161224.1499336-1-m.limbeck@proxmox.com \
--to=m.limbeck@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox