Hello.
We found bug in openssl CA certificate loading. This important bug for us in Estonia ( http://id.ee/?lang=en <http://id.ee/?lang=en&id> &id= ) because we use openssl as base library in digital signature verification. In digital signature world it is normal that you want to verify signatures when CA certificates are expired. https://codereview.qt-project.org/#change,85087 https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS If several CA certificates matching the name, key identifier, and serial number condition are available, only the first one will be examined. This may lead to unexpected results if the same CA certificate is available with different expiration dates. If a ``certificate expired'' verification error occurs, no other certificate will be searched. Make sure to not have expired certificates mixed with valid ones. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
