querter 0 Posted February 11 Hello INDY users, hello Remy, After a server update on the part of the hoster, we were no longer able to read the validity of the cert (NotAfter: TDateTime) from an FTPES connection with INDY10 #520. It turned out that the ftp server now sends the NotAfter date with a four-digit year (2051). INDY10 cannot handle this and terminates with an EConvertError. Could a possible fundamental cause of the problem be that <=2049 UTC time and >=2050 generalised time is used? "RFC 5280:May 2008 - Internet X.509" 4.1.2.5. Validity The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. The field is represented as a SEQUENCE of two dates: the date on which the certificate validity period begins (notBefore) and the date on which the certificate validity period ends (notAfter). Both notBefore and notAfter may be encoded as UTCTime or GeneralizedTime. CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. Conforming applications MUST be able to process validity dates that are encoded in either UTCTime or GeneralizedTime. Indy10 (D7) TIdX509.notBefore with four digits for the year has failed. and TIdX509.notAfter with four digits for the year has failed. GoDaddy / Domainfactory (DE) new self-signed certificate has date "Not after" > 2050 and the ftp server sends new date in format GeneralizedTime with four digits for the year. (TIdX509.DisplayInfo.Text) Certificate: Data: Version: 3 (0x2) Serial Number: Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, ST=Bayern, L=Muenchen, O=ispgateway, CN=webserver.ispgateway.de Validity Not Before: Dec 12 05:43:54 2023 GMT Not After : Apr 29 05:43:54 2051 GMT ... The ftp server send the data-format: Not Before: 231212054354Z Not After : 20510429054354Z TIdX509.notBefore can only decode two digits for the year YYMMDDHHMMSS. TIdX509.notAfter can only decode two digits for the year YYMMDDHHMMSS. TIdX509.notBefore: OK = 12.12.2023 05:43:54 TIdX509.notAfter: FAIL = EConvertError and excepted. in IdSSLOpenSSL.pas: -> TIdX509 property notAfter -> call function RnotAfter -> call function UTCTime2DateTime() -> call function UTC_Time_Decode() ! failed; In IdSSLOpenSSLHeader.pas the function UTC_Time_Decode() give missmatch back. The workaround can now decode both four-digit and two-digit years. TIdX509.notBefore now can decode two and four digits for the year YYMMDDHHMMSS / YYYYMMDDHHMMSS. TIdX509.notAfter now can decode two and four digits for the year YYMMDDHHMMSS / YYYYMMDDHHMMSS. TIdX509.notBefore: OK = 12.12.2023 05:43:54 TIdX509.notAfter: OK = 29.04.2051 05:43:54 And in UTC_Time_Decode() there are two more small errors in the TZ check. I have only written further details and workaround in the "German section" so far. Delphi-Praxis (DE): SSL Cert gültig bis 2051: Indy10 (D7) TIdX509.notAfter = EConvertError Please, can any of you help me? Greetings, qwerter Share this post Link to post
DelphiUdIT 187 Posted February 11 Sorry, but I don't understand ... you have found the issue (in the UTC_Time_Decode function) and change the code to read 4 digit (that you select based on the length of 12 or 14 characters). So how can we help you ? Share this post Link to post
jaenicke 13 Posted February 11 He needs help to make a pull request, because this fix should be included in the INDY source. Perhaps someone can do this for him. I do not have the time at the moment, otherwise I would have done it already when I saw the german post. Share this post Link to post
Remy Lebeau 1436 Posted February 11 (edited) 1 hour ago, jaenicke said: He needs help to make a pull request, because this fix should be included in the INDY source. Perhaps someone can do this for him. I do not have the time at the moment, otherwise I would have done it already when I saw the german post. I have opened a ticket on Indy's GitHub repo and will work on a fix: #523: EConvertError in TIdX509.notBefore and TIdX509.notAfter properties for 4-digit years UPDATE: I have now checked in a fix. Let me know if it works. Edited February 11 by Remy Lebeau 2 1 Share this post Link to post