On Fri, Apr 21, 2023 at 06:14:25PM +0200, Marco d'Itri wrote:
> On Apr 21, gs-debian....@gluelogic.com wrote:
>
> > I probably should have started with the most basic thing:
> >
> > What is the date on your device?
> NTP-accurate.
Perhaps there is something amiss in the Debian 32-bit build of lighttpd
or openssl for aarch64. (Is there any particular reason that you are
running 32-bit lighttpd on aarch64 rather than running 64-bit lighttpd?)
If you are able to build lighttpd on your aarch64, you can use my
local (internal) code to parse ASN1_TIME, rather than the openssl
ASN1_TIME_cmp_time_t() routine to parse and compare. (Be sure to build
32-bit for testing to better match your current system configuration.)
For *testing only*, the following patch "disables" the check for openssl
1.1.1, which added ASN1_TIME_cmp_time_t(), so that the local (internal)
ASN1_TIME parsing is used.
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -1272,7 +1272,7 @@ network_ssl_servername_callback (SSL *ssl, int *al, void
*srv)
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10101000L \
+#if OPENSSL_VERSION_NUMBER < 0xFFFFFFFFL \
|| defined(BORINGSSL_API_VERSION) \
||(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3060000fL)
static unix_time64_t
@@ -1291,7 +1291,7 @@ mod_openssl_cert_is_active (const X509 *crt)
{
const ASN1_TIME *notBefore = X509_get0_notBefore(crt);
const ASN1_TIME *notAfter = X509_get0_notAfter(crt);
- #if OPENSSL_VERSION_NUMBER < 0x10101000L \
+ #if OPENSSL_VERSION_NUMBER < 0xFFFFFFFFL \
|| defined(BORINGSSL_API_VERSION) \
||(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <
0x3060000fL)
const unix_time64_t before = mod_openssl_asn1_time_to_posix(notBefore);
