Just for the records: my workaround was to check the expiration date
while dumping the certificates into the file, and skipping the expired
ones. Further, I dump the certificates once a day to avoid issues with
certificates expired after doing the dump.
regards
Klaus
On 13.09.2012 17:09, Erik Tkal wrote:
I suppose that’s a workaround, but doesn’t address the root cause.
Windows can quite happily handle expired certificates still hanging out
in trusted stores; I see this all the time as root updates occur and
renewed certificates are installed. It seems that a change in OpenSSL
broke the previous behaviour that allowed this as well, though we can’t
tell if it’s the s_client app or the OpenSSL cert store functionality
that changed this.
*Erik Tkal**
*Juniper OAC/UAC/Pulse Development
*From:*owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
*Sent:* Thursday, September 13, 2012 9:42 AM
*To:* openssl-users@openssl.org
*Subject:* RE: certificate validation issues with openssl 1.0.0 and
expired certificates in cafile
Would it make sense to delete the expired certificate from the Windows
store? Duplicate expired/non expired CA certificates sounds to me like a
problem waiting to happen.
/Charles/
*From:*owner-openssl-us...@openssl.org
mailto:owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Ashok C
*Sent:* Thursday, September 13, 2012 12:49 AM
*To:* openssl-users@openssl.org mailto:openssl-users@openssl.org
*Subject:* Re: certificate validation issues with openssl 1.0.0 and
expired certificates in cafile
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at 2:59 PM, Ashok C ash@gmail.com
mailto:ash@gmail.com wrote:
Hi,
I don't think this question was answered. Could you please reply?
--
Ashok
On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion
klaus.mailingli...@pernau.at mailto:klaus.mailingli...@pernau.at wrote:
Hi!
I wrote a small program which dumps all root certificates from Windows
certificate store into a file. Then I use openssl to connect to Google
and validate its certificate:
openssl s_client -connect www.google.com:443 http://www.google.com:443
-CAfile dump.crt
When using openssl0.9.8k or openssl0.9.8x everything works as expected.
When using openssl1.0.0g or openssl 1.0.1c the certificate validation
fails with:
Verify return code: 10 (certificate has expired)
CONNECTED(016C)
depth=2 C = US, O = VeriSign, Inc., OU = Class 3 Public Primary
Certification Authority
verify error:num=10:certificate has expired
notAfter=Jan 7 23:59:59 2004 GMT
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
http://www.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
When analyzing the cafile with the dumped certificates from Windows
certificate store, I found out that there are two certificates for
Verisign with identical subject, whereas one is expired, the other not.
X.509 Certificate Information:
Version: 1
Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Wed Jan 07 23:59:59 UTC 2004
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Subject Public Key Algorithm: RSA
X.509 Certificate Information:
Version: 1
Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Tue Aug 01 23:59:59 UTC 2028
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Subject Public Key Algorithm: RSA
Thus, it seems that openssl 0.9.8 just ignores the expired certificate
and searches if there is another valid one whereas openssl 1.0.0 stop
with the first expired certificate.
Is the new behavior the intended behavior? Is it possible to have the
old behavior also in new openssl versions?
Thanks
Klaus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
mailto:openssl-users@openssl.org
Automated List Manager majord...@openssl.org mailto:majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl