OpenSSL 1.1.1h not detecting expired certs
Paul Smith
paul at mad-scientist.net
Sun Nov 1 16:16:24 UTC 2020
I have a server linked (statically) with OpenSSL 1.1.1g (GNU/Linux,
64bit). I built everything myself, I'm not using any system libraries.
I have a test in my test suite that constructs an expired self-signed
cert and attempts to use it to connect to the server. When I link my
server with OpenSSL 1.1.1g, it is detected properly and I see in the
log (this is a construct of various openssl error info):
SSL_accept failed: error:14094415:SSL routines:ssl3_read_bytes:sslv3
alert certificate expired::0:SSL alert number 45
If I leave EVERYTHING the same about my environment and re-link the
server with OpenSSL 1.1.1h instead (just re-linking the binaries with a
new static libssl libcrypto), then this expired certificate is no
longer detected by the server and the connection succeeds.
To be sure I also tried recompiling with the 1.1.1h headers and see the
same behavior.
I can see that the expiration date is indeed wrong:
$ openssl x509 -enddate -noout -in expired/trustStore.pem
notAfter=Oct 27 15:58:50 2020 GMT
but this is not noticed by my server.
Does anyone have any ideas about what I might check to figure out
what's happening here? The release notes discuss enabling MinProtocol
and MaxProtocol; I do not use these and in fact I don't invoke
SSL_CONF_*() at all. Is this an issue? Should I do this?
More information about the openssl-users
mailing list