From: Aram Sargsyan <aram@isc.org>
Date: Fri, 7 Jan 2022 20:32:18 +0000 (+0000)
Subject: Generate a random serial number for 'tls ephemeral' certificates
X-Git-Tag: v9.18.0~23^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f457c512145002c2bea920488af48457c239313;p=thirdparty%2Fbind9.git

Generate a random serial number for 'tls ephemeral' certificates

Clients can cache the TLS certificates and refuse to accept
another one with the same serial number from the same issuer.

Generate a random serial number for the self-signed certificates
instead of using a fixed value.
---

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index cb8d41beb7b..35b8a1277e5 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -36,6 +36,7 @@
 #include <isc/mutex.h>
 #include <isc/mutexblock.h>
 #include <isc/once.h>
+#include <isc/random.h>
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
 #include <isc/thread.h>
@@ -389,7 +390,9 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 		if (cert == NULL) {
 			goto ssl_error;
 		}
-		ASN1_INTEGER_set(X509_get_serialNumber(cert), 1);
+
+		ASN1_INTEGER_set(X509_get_serialNumber(cert),
+				 (long)isc_random32());
 
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
 		X509_gmtime_adj(X509_get_notBefore(cert), 0);