As per comments by Viktor on the dev list, this is by design: On 27 April 2014 17:10, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > On Sun, Apr 27, 2014 at 01:04:13PM +0200, sch_m via RT wrote: > >> I was playing around with openssl and found a minor bug which >> makes possible to put the end date before the start date. This >> happend by creating a certificate using > > I think this is a feature, not a bug. It should be possible to > create a certificate that is never valid. It will be accepted only > by clients that directly trust the public key or certificate > fingerprint and ignore the dates. > > Also, generating such certificates makes it easier to generate test > cases for verifier implementations. I've used "-days -1" from time > to time to generate such "never valid" certificates. > > -- > Viktor.
Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org