Gentle reminder .. Just want to know if this is a bug or intended behaviour.
-- Ashok On Fri, Sep 14, 2012 at 3:12 PM, Ashok C <ash....@gmail.com> wrote: > Hi Etkal, > > >>s_client app or the OpenSSL cert store functionality that changed this. > The problem is with the openSSL store itself, as I had tested this with my > own SSL client and observed the same behaviour. > > -- > Ashok > > On Thu, Sep 13, 2012 at 8:39 PM, Erik Tkal <et...@juniper.net> wrote: > >> I suppose that’s a workaround, but doesn’t address the root cause. >> Windows can quite happily handle expired certificates still hanging out in >> trusted stores; I see this all the time as root updates occur and renewed >> certificates are installed. It seems that a change in OpenSSL broke the >> previous behaviour that allowed this as well, though we can’t tell if it’s >> the s_client app or the OpenSSL cert store functionality that changed this. >> **** >> >> >> .................................... >> *Erik Tkal** >> *Juniper OAC/UAC/Pulse Development >> >> **** >> >> ** ** >> >> *From:* owner-openssl-us...@openssl.org [mailto: >> owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills >> *Sent:* Thursday, September 13, 2012 9:42 AM >> *To:* openssl-users@openssl.org >> *Subject:* RE: certificate validation issues with openssl 1.0.0 and >> expired certificates in cafile**** >> >> ** ** >> >> Would it make sense to delete the expired certificate from the Windows >> store? Duplicate expired/non expired CA certificates sounds to me like a >> problem waiting to happen.**** >> >> ** ** >> >> *Charles***** >> >> *From:* owner-openssl-us...@openssl.org [ >> mailto:owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>] >> *On Behalf Of *Ashok C >> *Sent:* Thursday, September 13, 2012 12:49 AM >> *To:* openssl-users@openssl.org >> *Subject:* Re: certificate validation issues with openssl 1.0.0 and >> expired certificates in cafile**** >> >> ** ** >> >> Sending again as the previous email did not appear in list. >> Is there some problem with the mailing list? >> >> -- >> Ashok**** >> >> On Wed, Sep 12, 2012 at 2:59 PM, Ashok C <ash....@gmail.com> wrote:**** >> >> Hi, >> >> I don't think this question was answered. Could you please reply? >> >> -- >> Ashok**** >> >> ** ** >> >> On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion < >> klaus.mailingli...@pernau.at> wrote:**** >> >> Hi! >> >> I wrote a small program which dumps all root certificates from Windows >> certificate store into a file. Then I use openssl to connect to Google and >> validate its certificate: >> >> openssl s_client -connect www.google.com:443 -CAfile dump.crt >> >> When using openssl0.9.8k or openssl0.9.8x everything works as expected. >> >> When using openssl1.0.0g or openssl 1.0.1c the certificate validation >> fails with: >> Verify return code: 10 (certificate has expired) >> >> CONNECTED(0000016C) >> depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary >> Certification Authority >> verify error:num=10:certificate has expired >> notAfter=Jan 7 23:59:59 2004 GMT >> verify return:0 >> --- >> Certificate chain >> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com >> i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA >> 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA >> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification >> Authority >> >> When analyzing the cafile with the dumped certificates from Windows >> certificate store, I found out that there are two certificates for Verisign >> with identical subject, whereas one is expired, the other not. >> >> X.509 Certificate Information: >> Version: 1 >> Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232 >> Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Validity: >> Not Before: Mon Jan 29 00:00:00 UTC 1996 >> Not After: Wed Jan 07 23:59:59 UTC 2004 >> Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Subject Public Key Algorithm: RSA >> >> X.509 Certificate Information: >> Version: 1 >> Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf >> Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Validity: >> Not Before: Mon Jan 29 00:00:00 UTC 1996 >> Not After: Tue Aug 01 23:59:59 UTC 2028 >> Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Subject Public Key Algorithm: RSA >> >> >> Thus, it seems that openssl 0.9.8 just ignores the expired certificate >> and searches if there is another valid one whereas openssl 1.0.0 stop with >> the first expired certificate. >> >> Is the new behavior the intended behavior? Is it possible to have the old >> behavior also in new openssl versions? >> >> Thanks >> Klaus >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org*** >> * >> >> ** ** >> >> ** ** >> > >
