Re: [openssl-users] Openssl not properly validating certificates?

Wed, 05 Dec 2012 07:25:02 -0800

OpenSSL 1.0.1 works fine here, both with expired and revoked certificates (i.e. correctly reports the status). 
Could you share your elements (certs, CRLs)?

--
Erwann ABALEA
-----
chlorophytophonie: musique pour les plantes vertes

Le 05/12/2012 15:11, Will Nordmeyer a écrit :

Hi, I've done some googling and failed to come up with an answer...

I have openssl 1.0.0-25  (also seeing it as 1.0.0-fips)  installed on
a test server running CentOS 6.3 (2.6.32-279.14.1.el6.x86_64).   It is
the latest one avaialble from the CentOS repositories.

I've downloaded and set up several Certificate Authorities as trusted
certs and their accompanying CRLs.  I've created the hash links for
the CRLs and CAs as well.

When I run a test on some test certificates I received, they all come
back OK, even though some are expired and some are revoked.

I've run the following verify command and expected different results
to flag TestOne as valid, TestThirtySeven as Revoked and TestForty as
expired.

I also tried crl_check_all and purpose flags, with no different results.

[root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose
TestOne_Valid.pem
TestOne_Valid.pem: OK
[root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose
TestForty_Expired.pem
TestForty_Expired.pem: OK
[root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose
TestThirtySeven_Revoked.pem
TestThirtySeven_Revoked.pem: OK
[root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose
-purpose sslclient TestOne_Valid.pem
TestOne_Valid.pem: OK
[root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose
-purpose sslclient TestForty_Expired.pem
TestForty_Expired.pem: OK
[root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose
-purpose sslclient TestThirtySeven_Revoked.pem
TestThirtySeven_Revoked.pem: OK
[root@dmapsdev01 TestCerts]#

Similarly, when I run from a browser, with tomcat configured for CRL
checking (using APR & tcnative), tomcat lets the expired and revoked
certificates pass.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to