Hi Etkal, >>s_client app or the OpenSSL cert store functionality that changed this. The problem is with the openSSL store itself, as I had tested this with my own SSL client and observed the same behaviour.
-- Ashok On Thu, Sep 13, 2012 at 8:39 PM, Erik Tkal <et...@juniper.net> wrote: > I suppose that’s a workaround, but doesn’t address the root cause. > Windows can quite happily handle expired certificates still hanging out in > trusted stores; I see this all the time as root updates occur and renewed > certificates are installed. It seems that a change in OpenSSL broke the > previous behaviour that allowed this as well, though we can’t tell if it’s > the s_client app or the OpenSSL cert store functionality that changed this. > **** > > > .................................... > *Erik Tkal** > *Juniper OAC/UAC/Pulse Development > > **** > > ** ** > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills > *Sent:* Thursday, September 13, 2012 9:42 AM > *To:* openssl-users@openssl.org > *Subject:* RE: certificate validation issues with openssl 1.0.0 and > expired certificates in cafile**** > > ** ** > > Would it make sense to delete the expired certificate from the Windows > store? Duplicate expired/non expired CA certificates sounds to me like a > problem waiting to happen.**** > > ** ** > > *Charles***** > > *From:* owner-openssl-us...@openssl.org [ > mailto:owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>] > *On Behalf Of *Ashok C > *Sent:* Thursday, September 13, 2012 12:49 AM > *To:* openssl-users@openssl.org > *Subject:* Re: certificate validation issues with openssl 1.0.0 and > expired certificates in cafile**** > > ** ** > > Sending again as the previous email did not appear in list. > Is there some problem with the mailing list? > > -- > Ashok**** > > On Wed, Sep 12, 2012 at 2:59 PM, Ashok C <ash....@gmail.com> wrote:**** > > Hi, > > I don't think this question was answered. Could you please reply? > > -- > Ashok**** > > ** ** > > On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion < > klaus.mailingli...@pernau.at> wrote:**** > > Hi! > > I wrote a small program which dumps all root certificates from Windows > certificate store into a file. Then I use openssl to connect to Google and > validate its certificate: > > openssl s_client -connect www.google.com:443 -CAfile dump.crt > > When using openssl0.9.8k or openssl0.9.8x everything works as expected. > > When using openssl1.0.0g or openssl 1.0.1c the certificate validation > fails with: > Verify return code: 10 (certificate has expired) > > CONNECTED(0000016C) > depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary > Certification Authority > verify error:num=10:certificate has expired > notAfter=Jan 7 23:59:59 2004 GMT > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > > When analyzing the cafile with the dumped certificates from Windows > certificate store, I found out that there are two certificates for Verisign > with identical subject, whereas one is expired, the other not. > > X.509 Certificate Information: > Version: 1 > Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232 > Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Validity: > Not Before: Mon Jan 29 00:00:00 UTC 1996 > Not After: Wed Jan 07 23:59:59 UTC 2004 > Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Subject Public Key Algorithm: RSA > > X.509 Certificate Information: > Version: 1 > Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf > Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Validity: > Not Before: Mon Jan 29 00:00:00 UTC 1996 > Not After: Tue Aug 01 23:59:59 UTC 2028 > Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary > Certification Authority > Subject Public Key Algorithm: RSA > > > Thus, it seems that openssl 0.9.8 just ignores the expired certificate and > searches if there is another valid one whereas openssl 1.0.0 stop with the > first expired certificate. > > Is the new behavior the intended behavior? Is it possible to have the old > behavior also in new openssl versions? > > Thanks > Klaus > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org**** > > ** ** > > ** ** >
