Hi,

I don't think this question was answered. Could you please reply?

--
Ashok

On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion <
klaus.mailingli...@pernau.at> wrote:

> Hi!
>
> I wrote a small program which dumps all root certificates from Windows
> certificate store into a file. Then I use openssl to connect to Google and
> validate its certificate:
>
> openssl s_client -connect www.google.com:443 -CAfile dump.crt
>
> When using openssl0.9.8k or openssl0.9.8x everything works as expected.
>
> When using openssl1.0.0g or openssl 1.0.1c the certificate validation
> fails with:
>   Verify return code: 10 (certificate has expired)
>
> CONNECTED(0000016C)
> depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify error:num=10:certificate has expired
> notAfter=Jan  7 23:59:59 2004 GMT
> verify return:0
> ---
> Certificate chain
>  0 s:/C=US/ST=California/L=**Mountain View/O=Google Inc/CN=www.google.com
>    i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
>  1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
>    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
> When analyzing the cafile with the dumped certificates from Windows
> certificate store, I found out that there are two certificates for Verisign
> with identical subject, whereas one is expired, the other not.
>
> X.509 Certificate Information:
>         Version: 1
>         Serial Number (hex): 00e49efdf33ae80ecfa5113e19a424**0232
>         Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
> Certification Authority
>         Validity:
>                 Not Before: Mon Jan 29 00:00:00 UTC 1996
>                 Not After: Wed Jan 07 23:59:59 UTC 2004
>         Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
> Certification Authority
>         Subject Public Key Algorithm: RSA
>
> X.509 Certificate Information:
>         Version: 1
>         Serial Number (hex): 70bae41d10d92934b638ca7b03ccba**bf
>         Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
> Certification Authority
>         Validity:
>                 Not Before: Mon Jan 29 00:00:00 UTC 1996
>                 Not After: Tue Aug 01 23:59:59 UTC 2028
>         Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
> Certification Authority
>         Subject Public Key Algorithm: RSA
>
>
> Thus, it seems that openssl 0.9.8 just ignores the expired certificate and
> searches if there is another valid one whereas openssl 1.0.0 stop with the
> first expired certificate.
>
> Is the new behavior the intended behavior? Is it possible to have the old
> behavior also in new openssl versions?
>
> Thanks
> Klaus
>
> ______________________________**______________________________**__________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>

Reply via email to