George Staikos wrote:
>
>
> The problem only seems to be reproducible on Redhat 7.0 so far, but I
> haven't had enough people test it yet. Basically, RSA/Verisign signed
> certificates all are determined to be expired by the X509 verification code.
> Thawte certificates work fine. Also if I print the notBefore and notAfter
> dates, they are ok. This is visible on sites like www.verisign.com and
> www.microsoft.com. I still don't know if this is related to a bug in the
> compiler or not.
>
There may be an expired certificate in the directory which wouldn't have
been noticed before....
OpenSSL 0.9.6 has the ability to search for multiple certificates
matching given criteria and one of these may be an expired certificate
as a result.
A possible indication of this is the presence of some links in the
directory of the form <some hex stuff>.n where n > 1.
Previous versions would just generate links of the form *.0 and the
latest link would overwrite the previous one.
So I suggest you look for links of the form *.1 *.2 etc in your certs
directory. Then if you find X.1 look at what X.0 points to and it may
well be expired.
If this is the cause then its just pure luck that the unexpired
certificate was the last one in the directory previously, otherwise this
would have been apparent before.
If you aren't using a directory then its possible that the file
containing several certificates also has some that have expired.
I suppose in future we should weed out expired certificates from the
search earlier on.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
