]> git.proxmox.com Git - pve-common.git/commitdiff
projects / pve-common.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4cb946a)
cert: fix invalid CSR version
authorMira Limbeck <m.limbeck@proxmox.com>
Fri, 31 Mar 2023 16:12:24 +0000 (18:12 +0200)
committerFabian Grünbichler <f.gruenbichler@proxmox.com>
Thu, 20 Apr 2023 12:31:46 +0000 (14:31 +0200)
According to rfc2986 the only valid version is 0. No newer rfc changed
that.
See section 4.1:
https://www.rfc-editor.org/rfc/rfc2986#section-4.1

Manually verifying the CSR with openssl results in the following error:
```
$ openssl req -in bad.csr -text -noout
Certificate Request:
    Data:
        Version: Unknown (2)
```

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
src/PVE/Certificate.pm patch | blob | blame | history

diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
index 4ce73645a9c57407ae2abe8e0d9606fe7242d527..f67f6cd5c65ccfc42589d3fb53baf53649b4ff58 100644 (file)
--- a/src/PVE/Certificate.pm
+++ b/src/PVE/Certificate.pm
@@ -430,7 +430,7 @@ sub generate_csr {
 
     $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
 
-    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2);
+    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0);
 
     $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md);
 
Common code