Sunday, April 07, 2024

Libressl verify failure with 3.9.0

Hello,

I recently updated to -current (about a week ago).

I see that Libressl is at 3.9.1 just now, but I hope that won't be an issue
(I did not see anything in the release notes that would impact my question).
---
$ openssl version
LibreSSL 3.9.0
---

Over the years, I have made certificates for personal servers/resources on
my home network. This is just for me, so I do some things that would be
frowned on (although, technically, there is nothing "wrong" with them).

In this case, since I have Apple iOS devices that I want to connect to
https, I backdate any certificates I create to 1/2/2019. Apple has imposed
a 300 or 800 day time limit on the validity for certificates created after
(about) 7/1/2019. Since I don't want to constantly make new certificates
for my personal/home network, I have just been setting the certificates'
"not before" date to early 2019.

Anyway, this had worked fine.
In fact, earlier this year (Jan 2024), I created a new certificate, and all
is good.

A few weeks ago, I added a new thing to the network - a raspberry pi (I got
as a gift about 2013 and installed a linux image from 2019 on it) that is
connected to the home alarm system.

Since I was annoyed that my browser was constantly giving me self-signed
certificate warnings, I decided to make a certificate for the nginx running
on this appliance.

I created a key, made a csr, and then signed it with:
openssl ca -startdate 20190102000000Z -in pi.csr -out pi.pem -config
/etc/ssl/openssl.cnf

This all works fine, and a certificate is created

When I check with:
openssl x509 -text -noout -in pi.pem

everything seems as expected, including the not before/after dates:

Validity
Not Before: Jan 2 00:00:00 2019 GMT
Not After : Apr 7 15:39:59 2054 GMT

(yes, it is valid for 35 years - as I said before, if someone breaks into my
house to secretly do things, I have way bigger problems)

But, if I try to verify this on the openbsd system, I get:

# openssl verify pi.pem
C = US, ST = Illinois, L = ***, O = ***, OU = ***, CN = ***
error 20 at 0 depth lookup:unable to get local issuer certificate
pi.pem: verification failed: 20 (unable to get local issuer certificate)
---

But, if I install this on the raspberry pi, which has a much older version
of openssl on it:
$ openssl version
OpenSSL 1.1.1c 28 May 2019

The certificate verifies without an issue:
$ openssl verify pi.pem
pi.pem: OK

The last time I created a certificate was in January of this year
(1/22/2024).
I am thinking the openbsd system was using Libressl 3.8.2 at that point.

I created that certificate in the exact same way, backdating the start date:
openssl ca -startdate 20190102000000Z -in 54.csr -out 54.pem -config
/etc/ssl/openssl.cnf

This previously created certificate also has them same backdated and very
long valid period:

Validity
Not Before: Jan 2 00:00:00 2019 GMT
Not After : Jan 21 23:49:22 2054 GMT

(Notice the not after date is a little different)
Today, with the new libressl, this certificate verifies OK.

$ openssl verify 54.pem
54.pem: OK

Finally, if I create the new certificate WITHOUT backdating it
e.g.: openssl ca -in pi.csr -out pi.pem -config /etc/ssl/openssl.cnf

The certificate is created and verifies OK.

So, it seems, there is some sort of issue with backdating the certificate,
but not an issue with the crazy long validity window, that was not present
in January of this year.

However, as I said, if I don't backdate, then in about a year the ipad will
refuse to connect because of the restrictions apple has imposed, unless I
update the certificate.

I know this is not "best practice," but it should still work, right?

Is there something I am missing?
Otherwise, it appears something has changed in Libressl 3.9.0 but is not
documented.

Thanks in advance for any suggestions.
Ted

No comments:

Post a Comment