Hi Erwann, On 07/03/19 11:35, Erwann Abalea via openssl-users wrote:
Bonjour, Here, reject the certificate is the correct behaviour, IMO. UTCTime/GeneralizedTime are defined in X.680. UTCTime: - can have no timezone information, or have Z, of have a timezone offset (with hours and minutes) - can be precise up to the second, or be precise up to the minute - cannot have fractional seconds or minutes - cannot have second 60 (think of leap seconds) - is not subject to ISO8601 rules GeneralizedTime: - can have no timezone information, or have Z, of have a timezone offset (either hours, or hours and minutes) - can be precise up to the second with optional fractional seconds, or be precise up to the minute and have fractional minutes, or be precise up to the hour and have fractional hours (any number of decimal places) - shall follow ISO8601 rules (including leap seconds) - cannot support the "midnight at end of day" (240000)
thanks for the clarification and note that either way it's fine with me - I just wanted to know what message to tell to OpenVPN users who run into this issue. The 'correct' answer seems to be:
"Your certificate is invalid and was always invalid, but up til now OpenSSL grokked it. OpenSSL (and therefore OpenVPN) no longer likes your cert, so get a new one"
cheers, JJK / Jan Just Keijser
