From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id DCECC90EE1 for ; Fri, 31 Mar 2023 18:12:59 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BE8F92A667 for ; Fri, 31 Mar 2023 18:12:29 +0200 (CEST) Received: from nena.proxmox.com (unknown [94.136.29.99]) by firstgate.proxmox.com (Proxmox) with ESMTP for ; Fri, 31 Mar 2023 18:12:28 +0200 (CEST) Received: by nena.proxmox.com (Postfix, from userid 1000) id 24B742C281A; Fri, 31 Mar 2023 18:12:28 +0200 (CEST) From: Mira Limbeck To: pve-devel@lists.proxmox.com Date: Fri, 31 Mar 2023 18:12:24 +0200 Message-Id: <20230331161224.1499336-1-m.limbeck@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.680 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH common] cert: fix invalid CSR version X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2023 16:12:59 -0000 According to rfc2986 the only valid version is 0. No newer rfc changed that. See section 4.1: https://www.rfc-editor.org/rfc/rfc2986#section-4.1 Manually verifying the CSR with openssl results in the following error: ``` $ openssl req -in bad.csr -text -noout Certificate Request: Data: Version: Unknown (2) ``` Signed-off-by: Mira Limbeck --- I wasn't able to create a test setup where I could test this yet, will try again on monday. Stoiko tested it on his setup with Let's Encrypt Staging and it worked fine. Although he didn't extract the CSR to verify it. A customer reported the issue in the enterprise support portal and provided the fix as well. src/PVE/Certificate.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm index 4ce7364..f67f6cd 100644 --- a/src/PVE/Certificate.pm +++ b/src/PVE/Certificate.pm @@ -430,7 +430,7 @@ sub generate_csr { $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk); - $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2); + $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0); $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md); -- 2.30.2