On Thu, Oct 09, 2008, Andrej Podzimek wrote:
>> Then I suggest you run the following command on those systems too:
>> openssl verify -CAfile root.crt other.crt
>> Where "other.crt" is the EE certificate, server.crt or posgresql.crt
>
> Says OK on both machines.
>
>> In crypto/x509/x509_vfy.c the function check_cert_time() is the one you
>> need.
>> Around the line with X509_V_ERR_CERT_HAS_EXPIRED is the certificate it
>> thinks
>> has expired "x". Suggest you dump that out to a temp file using
>> PEM_write_X509()
>
> Tried that. Added
> #include<openssl/pem.h>
> and modified the appropriate part of check_cert_time() as follows:
> if (i < 0)
> {
> + FILE * f;
> + f = fopen( "/tmp/CERTDUMP_EXPIRED", "w" );
> + PEM_write_X509( f, x );
> + fclose( f );
> ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
> ctx->current_cert=x;
> if (!ctx->verify_cb(0, ctx))
> return 0;
> }
> The four lines I added did *not* execute at all on errors. I tried that
> multiple times and restarted PostgreSQL to make sure libraries get
> reloaded. Wrote a dummy program that could really open the file for
> writing. OpenSSL did not even touch the file. Checked twice, compiled
> twice...
> I even tried to recompile PostgreSQL (!) to make sure there is no static
> linking and the like. Nothing of that kind. It still didn't work. So I
> modified the whole function like this:
> static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
> {
> time_t *ptime;
> int i;
> + FILE * f;
> + f = fopen( "/tmp/CERTDUMP_EXPIRED", "w" );
>
> if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
> ptime = &ctx->param->check_time;
> else
> ptime = NULL;
>
> + fputs( "Before comparison.", f );
> i=X509_cmp_time(X509_get_notBefore(x), ptime);
> if (i == 0)
> {
> + fputs( "BEFORE FIELD ERROR", f );
> + PEM_write_X509( f, x );
> + fclose( f );
> ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
> ctx->current_cert=x;
> if (!ctx->verify_cb(0, ctx))
> return 0;
> }
>
> if (i > 0)
> {
> + fputs( "NOT_YET failure", f );
> + PEM_write_X509( f, x );
> + fclose( f );
> ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
> ctx->current_cert=x;
> if (!ctx->verify_cb(0, ctx))
> return 0;
> }
>
> i=X509_cmp_time(X509_get_notAfter(x), ptime);
> if (i == 0)
> {
> + fputs( "AFTER FIELD ERROR", f );
> + PEM_write_X509( f, x );
> + fclose( f );
> ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
> ctx->current_cert=x;
> if (!ctx->verify_cb(0, ctx))
> return 0;
> }
>
> if (i < 0)
> {
> + fputs( "EXPIRED failure", f );
> + PEM_write_X509( f, x );
> + fclose( f );
> ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
> ctx->current_cert=x;
> if (!ctx->verify_cb(0, ctx))
> return 0;
> }
>
> return 1;
> }
>
> The result was surprising: The file /tmp/CERTDUMP_EXPIRED contained *only*
> 'Before comparison.'. This means that *none* of the further branches could
> run! (In such case, even fclose() did not run, but 'Before comparison.' was
> probably flushed automatically when the process exited.)
> So it seems that timestamp evaluation is OK. The function probably reached
> its end and returned 1. Bud where does the error message come from?
> Is there anything I am doing wrong? There are thousands of PostgreSQL
> users. Most of them probably need SSL. But there are no similar reports,
> AFAIK. :-(
>
Have you enabled CRL checking too? You can also get that if the nextUpdate
time in a CRL has passed. That might explain things if the CRL runs for a
month or so.
That error is produced in s3_both.c, see the SSL_AD_CERTIFICATE_EXPIRED stuff.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
