Closed joshcooper closed 8 years ago
Nogotofail omitted the seconds portion of the notAfter date, which causes openjdk 1.8 to fail to parse the string as a GeneralizedTime[1]:
java.io.IOException: Parse Generalized time, invalid offset
This can lead to false negatives in otherwise vulnerable SSL clients.
Since notBefore includes seconds, include them for notAfter for greater compatibility. This affects both the selfsigned and invalidhostname attacks.
[1] https://github.com/openjdk-mirror/jdk/blob/c5294eda494101e62dc4c0eaa946ebe9ce60cd6b/src/share/classes/sun/security/util/DerInputBuffer.java#L392-L396
Nogotofail omitted the seconds portion of the notAfter date, which causes openjdk 1.8 to fail to parse the string as a GeneralizedTime[1]:
This can lead to false negatives in otherwise vulnerable SSL clients.
Since notBefore includes seconds, include them for notAfter for greater compatibility. This affects both the selfsigned and invalidhostname attacks.
[1] https://github.com/openjdk-mirror/jdk/blob/c5294eda494101e62dc4c0eaa946ebe9ce60cd6b/src/share/classes/sun/security/util/DerInputBuffer.java#L392-L396