Then I suggest you run the following command on those systems too:
openssl verify -CAfile root.crt other.crt
Where "other.crt" is the EE certificate, server.crt or posgresql.crt
Says OK on both machines.
In crypto/x509/x509_vfy.c the function check_cert_time() is the one you need.
Around the line with X509_V_ERR_CERT_HAS_EXPIRED is the certificate it thinks
has expired "x". Suggest you dump that out to a temp file using
PEM_write_X509()
Tried that. Added
#include<openssl/pem.h>
and modified the appropriate part of check_cert_time() as follows:
if (i < 0)
{
+ FILE * f;
+ f = fopen( "/tmp/CERTDUMP_EXPIRED", "w" );
+ PEM_write_X509( f, x );
+ fclose( f );
ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
The four lines I added did *not* execute at all on errors. I tried that
multiple times and restarted PostgreSQL to make sure libraries get reloaded.
Wrote a dummy program that could really open the file for writing. OpenSSL did
not even touch the file. Checked twice, compiled twice...
I even tried to recompile PostgreSQL (!) to make sure there is no static
linking and the like. Nothing of that kind. It still didn't work. So I modified
the whole function like this:
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
time_t *ptime;
int i;
+ FILE * f;
+ f = fopen( "/tmp/CERTDUMP_EXPIRED", "w" );
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
ptime = &ctx->param->check_time;
else
ptime = NULL;
+ fputs( "Before comparison.", f );
i=X509_cmp_time(X509_get_notBefore(x), ptime);
if (i == 0)
{
+ fputs( "BEFORE FIELD ERROR", f );
+ PEM_write_X509( f, x );
+ fclose( f );
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i > 0)
{
+ fputs( "NOT_YET failure", f );
+ PEM_write_X509( f, x );
+ fclose( f );
ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
i=X509_cmp_time(X509_get_notAfter(x), ptime);
if (i == 0)
{
+ fputs( "AFTER FIELD ERROR", f );
+ PEM_write_X509( f, x );
+ fclose( f );
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i < 0)
{
+ fputs( "EXPIRED failure", f );
+ PEM_write_X509( f, x );
+ fclose( f );
ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
return 1;
}
The result was surprising: The file /tmp/CERTDUMP_EXPIRED contained *only*
'Before comparison.'. This means that *none* of the further branches could run!
(In such case, even fclose() did not run, but 'Before comparison.' was probably
flushed automatically when the process exited.)
So it seems that timestamp evaluation is OK. The function probably reached its
end and returned 1. Bud where does the error message come from?
Is there anything I am doing wrong? There are thousands of PostgreSQL users.
Most of them probably need SSL. But there are no similar reports, AFAIK. :-(
Andrej
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
