From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com
	[IPv6:2a00:1450:400c:c05::230])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 3090621F23A
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 27 Mar 2014 13:04:24 -0700 (PDT)
Received: by mail-wi0-f176.google.com with SMTP id r20so6377430wiv.3
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 27 Mar 2014 13:04:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:content-type
	:content-transfer-encoding;
	bh=7rCQkG96UHGiIG9tfMMtKxq0096o0vVJAH2bSTuTc8U=;
	b=BtFQ6s5ieWsjlTbPpbB+7/GGyLFD0Ib7XxavihgyWqgZkGYlbELse71tjBtV0HDXco
	lhnKvjDCSpC8Z9LnRKd4fpF//tHp5UokrN0CtxZGpwQwbVmB9M8uO7WG6wwOkkmesumM
	70mdI4t6EIxf5ZGLAguotTWyV120/XY8RKU5yZoArXclEaJhLwQkhiQvHo1Br2w2ox+5
	C9dlr6qWcAu2Zsc2FCAnWVL6s6KSLEP2kXQJTHpbr1gMVNOtntyUnS9fup9ZjyvS5XVi
	t0rUnq6q0VN23Xz74snORCMPHmr88xrNWU1oKjd/VSFcO1gwgvFeQmYslxspYPAA+GnZ
	k8kA==
MIME-Version: 1.0
X-Received: by 10.180.188.169 with SMTP id gb9mr7550136wic.17.1395950662133;
	Thu, 27 Mar 2014 13:04:22 -0700 (PDT)
Received: by 10.216.8.1 with HTTP; Thu, 27 Mar 2014 13:04:22 -0700 (PDT)
Date: Thu, 27 Mar 2014 13:04:22 -0700
Message-ID: <CAA93jw4hjiUjB1760i3HcMOwELb5xV1uzPMdFwTceNr8riL-Aw@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [Cerowrt-devel] expiring certs kill juniper routers
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 20:04:24 -0000

A whole bunch of juniper routers just went down due to an expired certifica=
te:

http://www.gossamer-threads.com/lists/nsp/juniper/50450

We set the cerowrt https certificates to expire in 2072. I plan on being
safely dead by then... but...

I worried that I might actually get uploaded instead... and still be around=
...

so there's a cron job to create new ones every year.

1 3 2 1 * /etc/make-webcerts.sh # regen the web certs every year feb 1 at 3=
am

It bugs me that the openssl syntax for generating certs is so arcane,
and it bothers me
more that there are people making bad certs out there for mission
critical equipment.

"We're sorry, your vw bug can't start due to an expired certificate...
we're sorry,
your nuclear reactor's coolant interfaces can't start due to an
expired certificate."

It kind of dwarfs the Y2038 problem in that it can happen anywhere, anytime=
.

--=20
Dave T=E4ht