On Thu, Oct 09, 2008, Andrej Podzimek wrote: >> Then I suggest you run the following command on those systems too: >> openssl verify -CAfile root.crt other.crt >> Where "other.crt" is the EE certificate, server.crt or posgresql.crt > > Says OK on both machines. > >> In crypto/x509/x509_vfy.c the function check_cert_time() is the one you >> need. >> Around the line with X509_V_ERR_CERT_HAS_EXPIRED is the certificate it >> thinks >> has expired "x". Suggest you dump that out to a temp file using >> PEM_write_X509() > > Tried that. Added > #include<openssl/pem.h> > and modified the appropriate part of check_cert_time() as follows: > if (i < 0) > { > + FILE * f; > + f = fopen( "/tmp/CERTDUMP_EXPIRED", "w" ); > + PEM_write_X509( f, x ); > + fclose( f ); > ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; > ctx->current_cert=x; > if (!ctx->verify_cb(0, ctx)) > return 0; > } > The four lines I added did *not* execute at all on errors. I tried that > multiple times and restarted PostgreSQL to make sure libraries get > reloaded. Wrote a dummy program that could really open the file for > writing. OpenSSL did not even touch the file. Checked twice, compiled > twice... > I even tried to recompile PostgreSQL (!) to make sure there is no static > linking and the like. Nothing of that kind. It still didn't work. So I > modified the whole function like this: > static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) > { > time_t *ptime; > int i; > + FILE * f; > + f = fopen( "/tmp/CERTDUMP_EXPIRED", "w" ); > > if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) > ptime = &ctx->param->check_time; > else > ptime = NULL; > > + fputs( "Before comparison.", f ); > i=X509_cmp_time(X509_get_notBefore(x), ptime); > if (i == 0) > { > + fputs( "BEFORE FIELD ERROR", f ); > + PEM_write_X509( f, x ); > + fclose( f ); > ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; > ctx->current_cert=x; > if (!ctx->verify_cb(0, ctx)) > return 0; > } > > if (i > 0) > { > + fputs( "NOT_YET failure", f ); > + PEM_write_X509( f, x ); > + fclose( f ); > ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; > ctx->current_cert=x; > if (!ctx->verify_cb(0, ctx)) > return 0; > } > > i=X509_cmp_time(X509_get_notAfter(x), ptime); > if (i == 0) > { > + fputs( "AFTER FIELD ERROR", f ); > + PEM_write_X509( f, x ); > + fclose( f ); > ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; > ctx->current_cert=x; > if (!ctx->verify_cb(0, ctx)) > return 0; > } > > if (i < 0) > { > + fputs( "EXPIRED failure", f ); > + PEM_write_X509( f, x ); > + fclose( f ); > ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; > ctx->current_cert=x; > if (!ctx->verify_cb(0, ctx)) > return 0; > } > > return 1; > } > > The result was surprising: The file /tmp/CERTDUMP_EXPIRED contained *only* > 'Before comparison.'. This means that *none* of the further branches could > run! (In such case, even fclose() did not run, but 'Before comparison.' was > probably flushed automatically when the process exited.) > So it seems that timestamp evaluation is OK. The function probably reached > its end and returned 1. Bud where does the error message come from? > Is there anything I am doing wrong? There are thousands of PostgreSQL > users. Most of them probably need SSL. But there are no similar reports, > AFAIK. :-( >
Have you enabled CRL checking too? You can also get that if the nextUpdate time in a CRL has passed. That might explain things if the CRL runs for a month or so. That error is produced in s3_both.c, see the SSL_AD_CERTIFICATE_EXPIRED stuff. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]