Stephen Henson via RT wrote: > I'm not sure how portable that patch is as it stands.
What would be the portability problem? The code is already calling time() in order to calculate the expiration dates. >As a portable alternative we could use a large random number for the >serial number, for example a 159 bit one has negligible chance of >duplicates. > > That seems to be overkill--64 bits would be more than sufficient. >I'd be interested to know how people are managing to create duplicate >serial numbers: that is what commands and or scripts are being used to >do this. > > I've asked someone with more direct experience with this to comment on the ticket. As I understand it, there are at least two situations: One, the CA somehow loses its serial number file--it rebuilds the box, regenerates the CA cert from scratch, or whatever. Two, the user generates a self-signed cert with "openssl req -x509" and no serial number options, resulting in a cert with (nonconforming) serial number 0. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]