Hi, I don't think this question was answered. Could you please reply?
-- Ashok On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion < [email protected]> wrote: > Hi! > > I wrote a small program which dumps all root certificates from Windows > certificate store into a file. Then I use openssl to connect to Google and > validate its certificate: > > openssl s_client -connect www.google.com:443 -CAfile dump.crt > > When using openssl0.9.8k or openssl0.9.8x everything works as expected. > > When using openssl1.0.0g or openssl 1.0.1c the certificate validation > fails with: > Verify return code: 10 (certificate has expired) > > CONNECTED(0000016C) > depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary > Certification Authority > verify error:num=10:certificate has expired > notAfter=Jan 7 23:59:59 2004 GMT > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=California/L=**Mountain View/O=Google Inc/CN=www.google.com > i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > > When analyzing the cafile with the dumped certificates from Windows > certificate store, I found out that there are two certificates for Verisign > with identical subject, whereas one is expired, the other not. > > X.509 Certificate Information: > Version: 1 > Serial Number (hex): 00e49efdf33ae80ecfa5113e19a424**0232 > Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Validity: > Not Before: Mon Jan 29 00:00:00 UTC 1996 > Not After: Wed Jan 07 23:59:59 UTC 2004 > Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Subject Public Key Algorithm: RSA > > X.509 Certificate Information: > Version: 1 > Serial Number (hex): 70bae41d10d92934b638ca7b03ccba**bf > Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Validity: > Not Before: Mon Jan 29 00:00:00 UTC 1996 > Not After: Tue Aug 01 23:59:59 UTC 2028 > Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Subject Public Key Algorithm: RSA > > > Thus, it seems that openssl 0.9.8 just ignores the expired certificate and > searches if there is another valid one whereas openssl 1.0.0 stop with the > first expired certificate. > > Is the new behavior the intended behavior? Is it possible to have the old > behavior also in new openssl versions? > > Thanks > Klaus > > ______________________________**______________________________**__________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] >
