Set the ephemeral certificate's "not before" a short time in the past

TLS clients can have their clock a short time in the past which will
result in not being able to validate the certificate.

Setting the "not before" property 5 minutes in the past will
accommodate with some possible clock skew across systems.

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 35b8a1277e5e34d706c5d4c3b4ce0045dd017de5..c15e596911c896c66f93b4542b19e3b4ce612287 100644 (file)
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -394,11 +394,16 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
                ASN1_INTEGER_set(X509_get_serialNumber(cert),
                                 (long)isc_random32());
 
+               /*
+                * Set the "not before" property 5 minutes into the past to
+                * accommodate with some possible clock skew across systems.
+                */
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
-               X509_gmtime_adj(X509_get_notBefore(cert), 0);
+               X509_gmtime_adj(X509_get_notBefore(cert), -300);
 #else
-               X509_gmtime_adj(X509_getm_notBefore(cert), 0);
+               X509_gmtime_adj(X509_getm_notBefore(cert), -300);
 #endif
+
                /*
                 * We set the vailidy for 10 years.
                 */