[pve-devel] applied: [PATCH common] cert: fix invalid CSR version

[Fabian Grünbichler]

thanks! (and sorry for the delay)

On March 31, 2023 6:12 pm, Mira Limbeck wrote:
> According to rfc2986 the only valid version is 0. No newer rfc changed
> that.
> See section 4.1:
> https://www.rfc-editor.org/rfc/rfc2986#section-4.1
> 
> Manually verifying the CSR with openssl results in the following error:
> ```
> $ openssl req -in bad.csr -text -noout
> Certificate Request:
>     Data:
>         Version: Unknown (2)
> ```
> 
> Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
> ---
> I wasn't able to create a test setup where I could test this yet, will
> try again on monday.
> 
> Stoiko tested it on his setup with Let's Encrypt Staging and it worked
> fine. Although he didn't extract the CSR to verify it.
> 
> A customer reported the issue in the enterprise support portal and
> provided the fix as well.
> 
>  src/PVE/Certificate.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
> index 4ce7364..f67f6cd 100644
> --- a/src/PVE/Certificate.pm
> +++ b/src/PVE/Certificate.pm
> @@ -430,7 +430,7 @@ sub generate_csr {
>  
>      $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
>  
> -    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2);
> +    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0);
>  
>      $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md);
>  
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>