[openssl-dev] [openssl.org #4233] [bug][openssl verify] pre-valid certificate return code inconsistency

Viktor Dukhovni via RT rt at openssl.org
Wed Jan 13 22:44:31 UTC 2016


On Wed, Jan 13, 2016 at 06:58:14PM +0000, Zak Blacher via RT wrote:

> I've found an inconsistency in the return status of 'openssl verify'. I've
> attached a custom dummy ca, and an example certificate. This certificate is
> valid for some date range in the future.
> 
> On my redhat machine (openssl 1.0.1e), running openssl verify will return a
> status code of 2, but in osx (openssl 0.98zg), the return status is 0. In
> both cases, I correctly see an error 9 in the function output.
> 
> The behavior of validating an expired certificate returns a status code of
> 0 on both systems.

Yes, certain errors were ignored in verify(1), allowing chain
verification to continue, but should have been noted at the end.

I have a fix for the master release pending review, should appear
in 1.1.0 alpha2 if it gets reviewed today.

Backports to 1.0.1 and 1.0.2 later if deemed appropriate.  0.9.8
and 1.0.0 are EOL, so they'll not get fixed.

-- 
	Viktor.




More information about the openssl-dev mailing list