<Derek.Whayman@barclayscapital.com>
2008-Jan-31 10:38 UTC
OpenSSL Year 2038 bug (relevant to long life certificates)
I would appear that 32 bit versions of OpenSSL (tested up to 0.9.8b from RHEL5 and 0.9.8g from source) suffer from the Year 2038 bug (http://en.wikipedia.org/wiki/Year_2038_problem). To recap, this is where the internal representation of time (time_t), a 32 bit signed integer that is the number of seconds since the epoch (00:00:00 UTC on January 1, 1970). This means the maximum time you can represent on a 32 bit system is 03:14:07 19/01/2038. OpenSSL apparently uses time_t internally rather than something more, ahem functional. None of this applies to 64 bit OpenSSL where time_t is 64 bits. The upshot of this is that you should not be asking Puppet to work with certificates that pass beyond that date in 2038 if you use *any* 32 bit systems (with current OpenSSL). I had cheerfully specified 30 year certificates which worked fine until... you guessed it, 19/01/2008. I''ve gone back to 25y for now, and presumably will have to keep backing this off while either (i) we''re supporting 32 bit machines (client *or* server) or (ii) someone fixes OpenSSL. To reproduce this, try: puppetca --ca_ttl=30y --ssldir=/var/tmp/catest --generate hopeless.nohoper.com And directly with OpenSSL (accept all the defaults): openssl req -new -x509 -keyout key1.pem -out cert1.pem -days 10000 openssl req -new -x509 -keyout key2.pem -out cert2.pem -days 12000 openssl x509 -noout -text -in cert1.pem openssl x509 -noout -text -in cert2.pem Derek ------------------------------------------------------------------------ For important statutory and regulatory disclosures and more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. Barclays Capital is the investment banking division of Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group. ------------------------------------------------------------------------