certificate validation issues with openssl 1.0.0 and expired certificates in cafile

Tue, 31 Jul 2012 10:54:30 -0700 

Hi!
I wrote a small program which dumps all root certificates from Windows certificate store into a file. Then I use openssl to connect to Google and validate its certificate: 

openssl s_client -connect www.google.com:443 -CAfile dump.crt

When using openssl0.9.8k or openssl0.9.8x everything works as expected.


When using openssl1.0.0g or openssl 1.0.1c the certificate validation 
fails with:

  Verify return code: 10 (certificate has expired)

CONNECTED(0000016C)

depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary 
Certification Authority

verify error:num=10:certificate has expired
notAfter=Jan  7 23:59:59 2004 GMT
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification 
Authority



When analyzing the cafile with the dumped certificates from Windows 
certificate store, I found out that there are two certificates for 
Verisign with identical subject, whereas one is expired, the other not.


X.509 Certificate Information:
        Version: 1
        Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232

        Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary 
Certification Authority

        Validity:
                Not Before: Mon Jan 29 00:00:00 UTC 1996
                Not After: Wed Jan 07 23:59:59 UTC 2004

        Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary 
Certification Authority

        Subject Public Key Algorithm: RSA

X.509 Certificate Information:
        Version: 1
        Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf

        Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary 
Certification Authority

        Validity:
                Not Before: Mon Jan 29 00:00:00 UTC 1996
                Not After: Tue Aug 01 23:59:59 UTC 2028

        Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary 
Certification Authority

        Subject Public Key Algorithm: RSA



Thus, it seems that openssl 0.9.8 just ignores the expired certificate 
and searches if there is another valid one whereas openssl 1.0.0 stop 
with the first expired certificate.



Is the new behavior the intended behavior? Is it possible to have the 
old behavior also in new openssl versions?


Thanks
Klaus

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to