[openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
Daniel Kahn Gillmor via RT
rt at openssl.org
Wed Feb 3 21:18:15 UTC 2016
On Mon 2016-02-01 18:46:20 -0500, Viktor Dukhovni wrote:
> On Mon, Feb 01, 2016 at 11:38:49PM +0000, Alex Rousskov via RT wrote:
>
>> On 02/01/2016 02:32 PM, openssl-dev at openssl.org via RT wrote:
>>
>> > Please be more explicit about what errors you feel were not reported.
>>
>> One specific error mentioned during the previous discussion was "expired
>> certificate". This was ~four years ago, so my recollection may be
>> faulty, but I believe that was _not_ the only hidden error.
>
> Expiration makes no sense for a certificate at the top of the chain,
> it has no issuer, so the date is unsigned and meaningless.
if the cert at the top of the chain is self-signed, it's entirely
reasonable to say that the expiration date is meaningful. For example,
I could distribute a certificate for a root authority which i intend to
only be useful for 2 years.
How else should i indicate to the end user that the cert should be be
considered unusable after that time?
the fact that a root cert is *not* expired is maybe not too meaningful.
But if it *is* limited in time, then we should take it at its word and
not rely on it after that point, in the same way that if the root cert
is limited via nameConstraints, we should take it at its word and not
rely on it for names outside the bounds of what it declares itself valid
for.
--dkg
More information about the openssl-dev
mailing list