WHIP: X509 cert serial number should be positive.

winlinvip · winlinvip · commit 4192d9a2d738 · 2025-06-10T19:01:15.000-04:00
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
@@ -316,7 +316,8 @@ static int openssl_gen_certificate(EVP_PKEY *pkey, X509 **cert, char **fingerpri
         goto enomem_end;
     }
 
-    serial = (int)av_get_random_seed();
+    // The serial number MUST be a positive integer。
+    serial = (int)(av_get_random_seed() & 0x7FFFFFFF);
     if (ASN1_INTEGER_set(X509_get_serialNumber(*cert), serial) != 1) {
         av_log(NULL, AV_LOG_ERROR, "TLS: Failed to set serial, %s\n", ERR_error_string(ERR_get_error(), NULL));
         goto einval_end;

Original file line number	Diff line number	Diff line change
`@@ -316,7 +316,8 @@ static int openssl_gen_certificate(EVP_PKEY pkey, X509 cert, char *fingerpri`
`316`	`316`	`goto enomem_end;`
`317`	`317`	`}`
`318`	`318`
`319`		`- serial = (int)av_get_random_seed();`
	`319`	`+ // The serial number MUST be a positive integer。`
	`320`	`+ serial = (int)(av_get_random_seed() & 0x7FFFFFFF);`
`320`	`321`	`if (ASN1_INTEGER_set(X509_get_serialNumber(*cert), serial) != 1) {`
`321`	`322`	`av_log(NULL, AV_LOG_ERROR, "TLS: Failed to set serial, %s\n", ERR_error_string(ERR_get_error(), NULL));`
`322`	`323`	`goto einval_end;`