Hi--
I have a custom SSL client application which uses OpenSSL to pull credit reports over the Internet, which worked fine until last Friday.... One of the things I must do in my application (to keep certified with the vendor) is to verify their certificate based on several criteria, basically the same things many web browsers do plus a few extra simple checks on the domain. Most of those checks are going fine, except where I check the date validity. Prior to last Friday, what I'm going to paste below worked fine, but now gives absolute junk output (example below). Before I continue too much, I will say that the vendor did 'fess up to a change on their end (upgraded SSLv2 to SSLv3), but they are saying no one else is having problems. As far as I can tell, this shouldn't have broke my code (I'm using "SSLv3_client_method" and have for some time). Oh, incidentally, their system is *currently* down but was not on Friday . Currently, I'm using this procedure to tell if a certificate is valid:
if ((res = SSL_get_verify_result(ssl)) != X509_V_OK)
{
...
} else {
if (X509_cmp_current_time(X509_get_notAfter(server_cert)) <= 0)
{
fprintf(ferr,"Expired certificate\n");
fflush(ferr);
printf("Error \"Certificate expired\"\n");
fflush(stdout);
gets(szRecvBuf); //TODO: Don't use "gets"
return -1;
}
if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0)
{
fprintf(ferr,"Certificate not yet valid\n");
fflush(ferr);
printf("Error \"Certificate expired\"\n");
fflush(stdout);
gets(szRecvBuf); //TODO: Don't use "gets"
return -1;
}The first of which is failing, normally indicating a certificate that's expired. Ok, no biggie, but I just wanted to be sure, so I turned the debug version of my code on which logs certificate validity times:
#if DBG
asn1time_to_string(X509_get_notBefore(server_cert),ssldata.expire);
fprintf(ferr,"Certificate valid start date: %s\n",ssldata.expire);
asn1time_to_string(X509_get_notAfter(server_cert),ssldata.expire);
fprintf(ferr,"Certificate valid end date: %s\n",ssldata.expire);
fflush(ferr);
#endifPrior to last week, this has always returned information in the form of: Certificate valid start date: Oct 31 00:00:00 2002 GMT Certificate valid end date: Oct 30 23:59:59 2004 GMT
***but*** now I'm receiving: Certificate valid start date: Bad time valueludGVybmF0 Certificate valid end date: Bad time value
My custom asn1time_to_string, mostly copied from some place I found on the web:
void asn1time_to_string(ASN1_TIME *tm, char *buf)
{
char *expires;
char *pos;
BIO *bio;
strcpy(buf,"[invalid date]");
bio = BIO_new(BIO_s_mem());
if (bio)
{
ASN1_TIME_print(bio,tm);
BIO_get_mem_data(bio,&expires);
if (expires)
{
strcpy(buf,expires);
pos = strstr(buf,"GMT");
if (pos)
{
pos += 3;
*pos = 0;
}
}
else
strcpy(buf,"Invalid Time");
BIO_free(bio);
}
}So my question is "What gives?"... They're saying I don't have updated VeriSign/Thawte certs, but I'm pretty sure that I do (I'm using the ca-bundle.crt file from latest mod_ssl, since I know that package is updated often). Besides, wouldn't my SSL_get_verify_result fail with an error about the CA's certificate not being valid? Please, any ideas would be appreciated. Working with this vendor is not easy and changing my code will be the only fix, can't pressure them to go back to what was working...
Thanks, -John ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
