I've came across X.509 certificates that appear to have an expiration dates of Februrary 29 in a year that is not a leap year when examined with OpenSSL.
I'll include an example certificate below found in the wild. If you save it to a text file named cert.pem and run: openssl x509 -text -in cert.pem It should show you all gory details including this nugget: Not After : Feb 29 18:35:01 2022 GMT which would be curious, because there is no February 29 in calendar year 2022. I'm not familiar with the openssl code so I'm not sure how this should be addressed since the cert was issued this way. Should OpenSSL mitigate it as most browsers I tested with appear to do by interpreting the notAfter date as March 1 instead? I know when I use the libraries in a development project, this poses a potential problem since when I try to use a nonsensical date with other systems I run into problems. I can code around it, but I thought perhaps something within OpenSSL might want to address this. -----BEGIN CERTIFICATE----- MIIB2TCCAUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExVmbGVl dC5ncHNzZXJ2ZXIwMy5jb20wHhcNMTIwMjI5MTgzNTAxWhcNMjIwMjI5MTgzNTAx WjAgMR4wHAYDVQQDExVmbGVldC5ncHNzZXJ2ZXIwMy5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAM+5geRfhOhbCHZub0oKPtQ0zE7jKnca+mwR48G1d/GZ FAmvMmPputk+QWzN4up0RxUQ8Lf7zRq9Bjy6oXoE5DAB8RWITpveCa11HsV+dDoa A7h5ZP209pX/RDBfNY4cAqKo7NHEoJH0flHJq1BoNYgmDlc4VCRLfV+3xMmTqrZV AgMBAAGjIzAhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgWgMA0GCSqG SIb3DQEBBQUAA4GBAFm2XZ2jm5fGU+ySP/vOkjkHLWjiUVHjVMISzoWDT0SebKy9 8JBqp3WDiAG9XDoex4wqIw3htySsqqVCWWx+EirRVlogd45LEqZR8R+L3mq0DqNL X0A7PPq6PwIQs9Ap8OI7+4SZsli9c7TMyYte3Ea/0bsJAPzITGJ9g2B5W861 -----END CERTIFICATE----- I suppose this is a feature request to handle these situations, but please categorize however you feel most appropriate. This doesn't appear to be all that common, but I've run into them enough over the past few months to bother sending in this report for your consideration. :-) John ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
