Hi, The php openssl library implements a function named openssl_csr_sign() and inside that function one can find the following line: X509_gmtime_adj(X509_get_notAfter(new_cert), (long)60*60*24*num_days);
This obviously provokes an overflow in cases of large values of "num_days", say 36500 (representing 100 years), on 32-bit systems where usually "sizeof(long) = 4". The bug report I opened in the php bugtracker was closed with "not a bug" pointing to the openssl API. The php people correctly pointed out that X509_gmtime_adj() needs a long value as parameter. I found that OpenSSL Cert creation example code (https://github.com/cloudmeter/openssl/blob/master/demos/x509/mkcert.c) has that very same line in it and should therefore be subject to the same issue: X509_set_version(x,2); ASN1_INTEGER_set(X509_get_serialNumber(x),serial); X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); X509_set_pubkey(x,pk); After searching around a bit I assume that with newer versions of OpenSSL using OPENSSL_gmtime_adj() or X509_time_adj_ex instead of X509_gmtime_adj() would maybe resolve this obvious limitation. Unfortunately I'm not able to immediately see how (my C skills are rather limited and I'm not experienced with using OpenSSL). Could somebody on this list maybe be so kind and point me in the right direction? Thanks Alex ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org