Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 635c0adec2a5e45ef6abbd0a60a7e32d8f187ab2
commit635c0adec2a5e45ef6abbd0a60a7e32d8f187ab2[log] [tgz]
authorChristopher Faulet <cfaulet@qualys.com>Thu Nov 12 11:35:51 2015 +0100
committerWilly Tarreau <w@1wt.eu>Tue Feb 09 09:04:53 2016 +0100
tree1c3257db0b291c558b0e7bc610f68042e3d3234b
parent53f9685b7288e78c80dea4741a6952809ba90c0f [diff]
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates

The serial number for a generated certificate was computed using the requested
servername, without any variable/random part. It is not a problem from the
moment it is not regenerated.

But if the cache is disabled or when the certificate is evicted from the cache,
we may need to regenerate it. It is important to not reuse the same serial
number for the new certificate. Else clients (especially browsers) trigger a
warning because 2 certificates issued by the same CA have the same serial
number.

So now, the serial is a static variable initialized with now_ms (internal date
in milliseconds) and incremented at each new certificate generation.

(Ref MPS-2031)
2 files changed
tree: 1c3257db0b291c558b0e7bc610f68042e3d3234b
  1. contrib/
  2. doc/
  3. ebtree/
  4. examples/
  5. include/
  6. src/
  7. tests/
  8. .gitignore
  9. CHANGELOG
  10. CONTRIBUTING
  11. LICENSE
  12. MAINTAINERS
  13. Makefile
  14. README
  15. ROADMAP
  16. SUBVERS
  17. VERDATE
  18. VERSION