On Sat, Nov 15, 2003, David wrote:
>> >> These bugs all appear to be mostly cosmetic, but they leave me wondering >> what the latest valid expiration date is and whether the generated >> certificate is actually valid. >> The problems are largely based around the behaviour of the system time libraries and things like time_t when it overflows or becomes negative. What actually happens seems to be "undefined". To get more consistent behaviour OpenSSL should really do its own date calculations without the limitations and unpredictability of system library routines. >> FYI, I'm working on being my own CA and generating certs to go in some >> embedded systems, so long expirations are A Good Thing for me. Is there >> any way to make certs that never expire? >> No there isn't but you should be able to safely set one with a 30 year expiry date. Many existing key sizes will be ridiculously insecure well before then I suspect... The actual dates in certificates can theoretically go up to the year 9999. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]