On Fri Aug 22 21:00:55 2014, [email protected] wrote: > I have the global sign new and old CA certs in a single file. > Successful verification seems to depend on the order of the > certificates in the file: > > $ cat globalsign_new.pem globalsign_old.pem > test.pem > $ openssl s_client -connect bbc.co.uk:443 -CAfile test.pem > ... > Verify return code: 0 (ok) > $ cat globalsign_old.pem globalsign_new.pem > test.pem > $ openssl s_client -connect bbc.co.uk:443 -CAfile test.pem > ... > Verify return code: 10 (certificate has expired) > $ openssl version > OpenSSL 1.0.1f 6 Jan 2014 > > It seems like it should verify against both certificates, for example > if a renewed CA cert is issued before it becomes valid. >
This is a known issue, see PR#3359. It should be fixed in the master branch. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
