Re: certificate validation issues with openssl 1.0.0 and expired certificates in cafile

Klaus Darilion Tue, 25 Sep 2012 03:49:18 -0700

Just for the records: my workaround was to check the expiration datewhile dumping the certificates into the file, and skipping the expiredones. Further, I dump the certificates once a day to avoid issues withcertificates expired after doing the dump.


regards
Klaus


On 13.09.2012 17:09, Erik Tkal wrote:

I suppose that’s a workaround, but doesn’t address the root cause.
Windows can quite happily handle expired certificates still hanging out
in trusted stores; I see this all the time as root updates occur and
renewed certificates are installed.  It seems that a change in OpenSSL
broke the previous behaviour that allowed this as well, though we can’t
tell if it’s the s_client app or the OpenSSL cert store functionality
that changed this.


....................................
*Erik Tkal**
*Juniper OAC/UAC/Pulse Development

*From:*owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
*Sent:* Thursday, September 13, 2012 9:42 AM
*To:* openssl-users@openssl.org
*Subject:* RE: certificate validation issues with openssl 1.0.0 and
expired certificates in cafile

Would it make sense to delete the expired certificate from the Windows
store? Duplicate expired/non expired CA certificates sounds to me like a
problem waiting to happen.

/Charles/

*From:*owner-openssl-us...@openssl.org
<mailto:owner-openssl-us...@openssl.org>
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Ashok C
*Sent:* Thursday, September 13, 2012 12:49 AM
*To:* openssl-users@openssl.org <mailto:openssl-users@openssl.org>
*Subject:* Re: certificate validation issues with openssl 1.0.0 and
expired certificates in cafile

Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?

--
Ashok

On Wed, Sep 12, 2012 at 2:59 PM, Ashok C <ash....@gmail.com
<mailto:ash....@gmail.com>> wrote:

Hi,

I don't think this question was answered. Could you please reply?

--
Ashok

On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion
<klaus.mailingli...@pernau.at <mailto:klaus.mailingli...@pernau.at>> wrote:

Hi!

I wrote a small program which dumps all root certificates from Windows
certificate store into a file. Then I use openssl to connect to Google
and validate its certificate:

openssl s_client -connect www.google.com:443 <http://www.google.com:443>
-CAfile dump.crt

When using openssl0.9.8k or openssl0.9.8x everything works as expected.

When using openssl1.0.0g or openssl 1.0.1c the certificate validation
fails with:
   Verify return code: 10 (certificate has expired)

CONNECTED(0000016C)
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify error:num=10:certificate has expired
notAfter=Jan  7 23:59:59 2004 GMT
verify return:0
---
Certificate chain
  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
<http://www.google.com>
    i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority

When analyzing the cafile with the dumped certificates from Windows
certificate store, I found out that there are two certificates for
Verisign with identical subject, whereas one is expired, the other not.

X.509 Certificate Information:
         Version: 1
         Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232
         Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
         Validity:
                 Not Before: Mon Jan 29 00:00:00 UTC 1996
                 Not After: Wed Jan 07 23:59:59 UTC 2004
         Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
         Subject Public Key Algorithm: RSA

X.509 Certificate Information:
         Version: 1
         Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf
         Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
         Validity:
                 Not Before: Mon Jan 29 00:00:00 UTC 1996
                 Not After: Tue Aug 01 23:59:59 UTC 2028
         Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
         Subject Public Key Algorithm: RSA


Thus, it seems that openssl 0.9.8 just ignores the expired certificate
and searches if there is another valid one whereas openssl 1.0.0 stop
with the first expired certificate.

Is the new behavior the intended behavior? Is it possible to have the
old behavior also in new openssl versions?

Thanks
Klaus

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org <mailto:majord...@openssl.org>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: certificate validation issues with openssl 1.0.0 and expired certificates in cafile

Reply via email to