Package: sscg Version: 3.0.2-1 Severity: important Tags: sid patch control: affects -1 src:openssl control: forwarded -1 https://github.com/sgallagher/sscg/pull/71 User: pkg-openssl-de...@lists.alioth.debian.org Usertags: openssl-3.4
OpenSSL verifies the argument passed to X509_REQ_set_version() resulting in a failure. Patch attached fixes the issue. Sebastian
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Sat, 19 Oct 2024 15:43:20 +0200 Subject: [PATCH] x509: Use proper version for CSR. RFC 2986 only defines a single version for CSRs: X509_VERSION_1 (0). OpenSSL starting with 3.4 rejects everything else. Use X509_VERSION_1 as version for X509_REQ_set_version. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- src/x509.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/x509.c b/src/x509.c index 9f6f21b49c2dd..503b7b1b51ed4 100644 --- a/src/x509.c +++ b/src/x509.c @@ -169,7 +169,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, talloc_set_destructor ((TALLOC_CTX *)csr, _sscg_csr_destructor); /* We will generate only x509v3 certificates */ - sslret = X509_REQ_set_version (csr->x509_req, 2); + sslret = X509_REQ_set_version (csr->x509_req, X509_VERSION_1); CHECK_SSL (sslret, X509_REQ_set_version); subject = X509_REQ_get_subject_name (csr->x509_req); -- 2.45.2
