[pve-devel] [PATCH common] cert: fix invalid CSR version

[pve-devel] [PATCH common] cert: fix invalid CSR version

[Mira Limbeck]

According to rfc2986 the only valid version is 0. No newer rfc changed
that.
See section 4.1:
https://www.rfc-editor.org/rfc/rfc2986#section-4.1

Manually verifying the CSR with openssl results in the following error:
```
$ openssl req -in bad.csr -text -noout
Certificate Request:
    Data:
        Version: Unknown (2)
```

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
I wasn't able to create a test setup where I could test this yet, will
try again on monday.

Stoiko tested it on his setup with Let's Encrypt Staging and it worked
fine. Although he didn't extract the CSR to verify it.

A customer reported the issue in the enterprise support portal and
provided the fix as well.

 src/PVE/Certificate.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
index 4ce7364..f67f6cd 100644
--- a/src/PVE/Certificate.pm
+++ b/src/PVE/Certificate.pm
@@ -430,7 +430,7 @@ sub generate_csr {
 
     $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
 
-    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2);
+    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0);
 
     $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md);
 
-- 
2.30.2

Re: [pve-devel] [PATCH common] cert: fix invalid CSR version

[Mira Limbeck]

Looks like a python-cryptography maintainer opened a pull request on 
Github with the exact same change: 
https://github.com/proxmox/pve-common/pull/8

[pve-devel] applied: [PATCH common] cert: fix invalid CSR version

[Fabian Grünbichler]

thanks! (and sorry for the delay)

On March 31, 2023 6:12 pm, Mira Limbeck wrote:
> According to rfc2986 the only valid version is 0. No newer rfc changed
> that.
> See section 4.1:
> https://www.rfc-editor.org/rfc/rfc2986#section-4.1
> 
> Manually verifying the CSR with openssl results in the following error:
> ```
> $ openssl req -in bad.csr -text -noout
> Certificate Request:
>     Data:
>         Version: Unknown (2)
> ```
> 
> Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
> ---
> I wasn't able to create a test setup where I could test this yet, will
> try again on monday.
> 
> Stoiko tested it on his setup with Let's Encrypt Staging and it worked
> fine. Although he didn't extract the CSR to verify it.
> 
> A customer reported the issue in the enterprise support portal and
> provided the fix as well.
> 
>  src/PVE/Certificate.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
> index 4ce7364..f67f6cd 100644
> --- a/src/PVE/Certificate.pm
> +++ b/src/PVE/Certificate.pm
> @@ -430,7 +430,7 @@ sub generate_csr {
>  
>      $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
>  
> -    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2);
> +    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0);
>  
>      $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md);
>  
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>