From 5b2efc0a128102b165a8a62581a1ab3ec4ca675d Mon Sep 17 00:00:00 2001 From: Josh Braegger Date: Thu, 3 Jan 2019 13:20:29 -0800 Subject: [PATCH] Fix getting long serial numbers for openssl < 1.1 From https://www.ietf.org/rfc/rfc5280.txt > As noted in Section 4.1.2.2, serial numbers can be expected to > contain long integers. Certificate users MUST be able to handle > serialNumber values up to 20 octets in length. Conforming CAs MUST > NOT use serialNumber values longer than 20 octets. Without this, nghttpx will fatal. jbraeg$ openssl x509 -in ~/test_certs/client.crt -serial -noout serial=E0CFDFC7CEA10DF8AAF715C37FAEB410 jbraeg$ curl -k --key ~/test_certs/client.key --cert ~/test_certs/client.crt https://192.168.98.100:3000/; echo curl: (56) Unexpected EOF ... Assertion failed: n == b.size() (shrpx_tls.cc: get_x509_serial: 2051) 2019-01-03T20:25:21.289Z 1 1 f84316ae NOTICE (shrpx_log.cc:895) Worker process: [9] exited abnormally with status 0x06; exit status 0; signal Aborted(6) 2019-01-03T20:25:21.290Z 1 1 f84316ae NOTICE (shrpx.cc:4311) Shutdown momentarily --- src/shrpx_tls.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index 9aa789d0..24ba7f9c 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -2046,9 +2046,9 @@ StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) { return StringRef{}; } - std::array b; + std::array b; auto n = BN_bn2bin(bn, b.data()); - assert(n == b.size()); + assert(n <= 20); return util::format_hex(balloc, StringRef{std::begin(b), std::end(b)}); #endif // !OPENSSL_1_1_API