On 2020-06-01, Allan Streib <astr...@indiana.edu> wrote: > Below are two openssl s_client transcripts. First with the original > cert.pem (Verify return code: 10 (certificate has expired)) and second > after I edited cert.pem to remove AddTrust (Verify return code: 0 (ok)). > > So, I thought perhaps the issue described was also present in LibreSSL > (on my 6.6 system this is LibreSSL 3.0.2). Although removing the expired > certificate is easy, it doesn't seem to me that it should be > necessary. If LibreSSL is behaving as intended here, please let me know. > > Will try to get a 6.7 system set up soon to test it there also. > > [1] https://www.cmu.edu/iso/service/cert-auth/addtrust.html
The same happens with 6.7 and -current. Hopefully this will be improved in libressl, but libressl clients aren't the only ones who will have problems with this - if you're in contact with the server admins I would recommend they remove the expired cert from their set of intermediates - it is doing nothing useful any more. The ones they need are these two: > --- > Certificate chain > 0 s:/C=US/postalCode=47405/ST=Indiana/L=Bloomington/street=107 South Indiana > Ave/O=Indiana University-Bloomington/OU=UITS/CN=mail-relay.iu.edu > i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA > -----BEGIN CERTIFICATE----- > MIIHAzCCBeugAwIBAgIRAMGBzn1nqGIy319+2+YxtogwDQYJKoZIhvcNAQELBQAw > djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix > EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT > FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTkxMjA2MDAwMDAwWhcNMjExMjA1 > MjM1OTU5WjCBuTELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTQ3NDA1MRAwDgYDVQQI > EwdJbmRpYW5hMRQwEgYDVQQHEwtCbG9vbWluZ3RvbjEeMBwGA1UECRMVMTA3IFNv > dXRoIEluZGlhbmEgQXZlMScwJQYDVQQKEx5JbmRpYW5hIFVuaXZlcnNpdHktQmxv > b21pbmd0b24xDTALBgNVBAsTBFVJVFMxGjAYBgNVBAMTEW1haWwtcmVsYXkuaXUu > ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzslA3Qjb9uBNae+y > mIXSu3qx8rumLW15evMWz8RDGW8aEmA1+a93D+55Gbbiutj+nbKmzln8jEp5MLiO > K4PA7TzNRR9TbPi4zFN6aTD+/SFpFWd9RsmuAaMHoRrqeSd9N1oV9HqEMhhpCvDi > L1FFRIUsVJfQUyFrw1m4kNAxN56DEFg53G4PYQrT89s6OykS8yMWlDUhAryJcYwT > AkRJfBZVMXTPlY9kzqD5dVoH577rmKHjw1gHedtNInLdYkUPJ4m5kn1zdOlDMJXf > krIZWHONp4VfdULWm38VLtrqiguNw6zCRHykLJtJtBVXfIfGhoLrgSVcyoVNKCwo > UOAZXQIDAQABo4IDRjCCA0IwHwYDVR0jBBgwFoAUHgWjd49sluJbh0umtIascQAM > 5zgwHQYDVR0OBBYEFI3zL/Hll4xQWOE6nV8JFw4NNRnlMA4GA1UdDwEB/wQEAwIF > oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBn > BgNVHSAEYDBeMFIGDCsGAQQBriMBBAMBATBCMEAGCCsGAQUFBwIBFjRodHRwczov > L3d3dy5pbmNvbW1vbi5vcmcvY2VydC9yZXBvc2l0b3J5L2Nwc19zc2wucGRmMAgG > BmeBDAECAjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLmluY29tbW9uLXJz > YS5vcmcvSW5Db21tb25SU0FTZXJ2ZXJDQS5jcmwwdQYIKwYBBQUHAQEEaTBnMD4G > CCsGAQUFBzAChjJodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vSW5Db21tb25SU0FT > ZXJ2ZXJDQV8yLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0 > LmNvbTAcBgNVHREEFTATghFtYWlsLXJlbGF5Lml1LmVkdTCCAX0GCisGAQQB1nkC > BAIEggFtBIIBaQFnAHcAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcA > AAFu3U0edwAABAMASDBGAiEAmAFHrB6lDE/DybCP3UYzoGcaEVcJd8efUlWdi5wg > 4C4CIQD5bxQNCVwfKV1L9+lchP05d7t8xS0mhB/BKE/SSdkUiAB1AESUZS6w7s6v > xEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABbt1NHmcAAAQDAEYwRAIgOuDPNTce > cfC3HJrQeXmjA2PaG+alULBHJWhTZvBgzLECIH1sZ5zwr0UtVySEY34MLFZD6p2o > mmF/HFfPRCvAs1TmAHUAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMA > AAFu3U0evwAABAMARjBEAiB3QmvKrztRgA1hDWnjFIROcAsWR0YpAZ5lObTxNbig > ZAIgG2Q9PCozjzbdadQ+u4NJZPh53WWyj4eztdVZxoZan7wwDQYJKoZIhvcNAQEL > BQADggEBACz8aRK80YMZjggxc4zzmn8WGO7YbzZUN3LDqttHuo7VGLuXEhQS3FHA > wqrf2Axb3COvhXWSsmNYfHi2Pdip4VqubwKCJj2gk1Yqs/uecNf+CdPa1tHb9S+C > 76lQibM++x6F1IJtesqEWc28h63fqNHXI8cs9Mk7fhJwm6ur7jooIrQz7FQNQo3k > lDmK+sZMuC0axFWr6mDn7Zf5F8uF4VpS92u61rI5CgtzT19MvG6X/xgoxLOniH5w > YYoKExtnYoboJz10wx6f3sMnpjqe5gFGXaTTs1cEeKc67MzHxIuWa6YD1QEfAl0A > U6zHoNT62GuQYIgZlmH+syGN/CxHmXY= > -----END CERTIFICATE----- > 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA > i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust > RSA Certification Authority > -----BEGIN CERTIFICATE----- > MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB > iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl > cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV > BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx > MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE > CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw > DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD > QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e > xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v > HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP > iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl > qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT > eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML > fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL > MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw > EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH > AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB > hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh > dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo > dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j > cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI > hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU > 11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0 > +Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR > 5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72 > hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo > RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED > Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i > eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa > nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b > oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH > OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk > -----END CERTIFICATE----- And the other two should be removed - the first one was useful for old clients up to the date it expired - the latter was never needed. > 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust > RSA Certification Authority > i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > External CA Root > -----BEGIN CERTIFICATE----- > MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv > MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk > ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF > eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow > gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK > ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD > VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN > BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt > UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC > tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf > jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM > 8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm > AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV > Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9 > N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF > qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9 > HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ > +gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX > HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv > A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/ > BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud > HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 > dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0 > dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD > lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn > RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ > YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8 > Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf > Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p > 0fKtirOMxyHNwu8= > -----END CERTIFICATE----- > 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > External CA Root > i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > External CA Root > -----BEGIN CERTIFICATE----- > MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU > MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs > IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 > MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux > FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h > bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v > dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt > H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 > uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX > mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX > a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN > E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 > WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD > VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 > Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU > cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx > IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN > AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH > YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 > 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC > Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX > c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a > mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= > -----END CERTIFICATE-----
