On St, 2014-07-16 at 17:46 +0200, Daniel Kahn Gillmor via RT wrote:
> On 07/16/2014 11:24 AM, Salz, Rich wrote:
> >> do you realistically think we'll ever drop support for the -days argument
> >> though? Dropping -days would break a million scripts.
> >
> > No, we'll never drop support for -days. But whether the code is atoi() or
> > atof() is a big difference and might cause important silent failures for
> > new scripts running on anything other than the most recent openssl. On
> > most systems atoi("0.5") returns 0 and no error indicator so "-days 0.5"
> > would silently do the wrong thing on anything other than openssl
> > 1.0.whatever Which seems much worse.
>
> ugh, you're quite right. Sorry, i wasn't thinking about the support
> hassle in that direction.
>
> And to make matters worse, "openssl req -x509" currently interprets
> "-days 0" or "-days 0.5" or "-days PT1800S" as "use the default number
> of days", which is 30. :/ From experimentation, i just discovered that
> -days is also happy to accept and interpret negative integer arguments
> as well, resulting in a key with ValidNotBefore later than ValidNotAfter
> :( not even an error message to let you know that you've just created a
> certificate that no validation stack in its right mind should ever accept.
>
> I withdraw my support for making -days take a fractional argument, given
> the behavior of the existing deployed base.
I agree with that as well. I did not look at the actual code in openssl
so I did not know that the fractional argument with the current version
does not error out.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
