Sending again as the previous email did not appear in list. Is there some problem with the mailing list?
-- Ashok On Wed, Sep 12, 2012 at 2:59 PM, Ashok C <ash....@gmail.com> wrote: > Hi, > > I don't think this question was answered. Could you please reply? > > -- > Ashok > > > On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion < > klaus.mailingli...@pernau.at> wrote: > >> Hi! >> >> I wrote a small program which dumps all root certificates from Windows >> certificate store into a file. Then I use openssl to connect to Google and >> validate its certificate: >> >> openssl s_client -connect www.google.com:443 -CAfile dump.crt >> >> When using openssl0.9.8k or openssl0.9.8x everything works as expected. >> >> When using openssl1.0.0g or openssl 1.0.1c the certificate validation >> fails with: >> Verify return code: 10 (certificate has expired) >> >> CONNECTED(0000016C) >> depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary >> Certification Authority >> verify error:num=10:certificate has expired >> notAfter=Jan 7 23:59:59 2004 GMT >> verify return:0 >> --- >> Certificate chain >> 0 s:/C=US/ST=California/L=**Mountain View/O=Google Inc/CN=www.google.com >> i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA >> 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA >> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification >> Authority >> >> When analyzing the cafile with the dumped certificates from Windows >> certificate store, I found out that there are two certificates for Verisign >> with identical subject, whereas one is expired, the other not. >> >> X.509 Certificate Information: >> Version: 1 >> Serial Number (hex): 00e49efdf33ae80ecfa5113e19a424**0232 >> Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Validity: >> Not Before: Mon Jan 29 00:00:00 UTC 1996 >> Not After: Wed Jan 07 23:59:59 UTC 2004 >> Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Subject Public Key Algorithm: RSA >> >> X.509 Certificate Information: >> Version: 1 >> Serial Number (hex): 70bae41d10d92934b638ca7b03ccba**bf >> Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Validity: >> Not Before: Mon Jan 29 00:00:00 UTC 1996 >> Not After: Tue Aug 01 23:59:59 UTC 2028 >> Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary >> Certification Authority >> Subject Public Key Algorithm: RSA >> >> >> Thus, it seems that openssl 0.9.8 just ignores the expired certificate >> and searches if there is another valid one whereas openssl 1.0.0 stop with >> the first expired certificate. >> >> Is the new behavior the intended behavior? Is it possible to have the old >> behavior also in new openssl versions? >> >> Thanks >> Klaus >> >> ______________________________**______________________________** >> __________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
