[openssl-dev] [openssl.org #4233] [bug][openssl verify] pre-valid certificate return code inconsistency
Zak Blacher via RT
rt at openssl.org
Wed Jan 13 23:36:38 UTC 2016
Darn, and I was hoping to be able to patch it myself :)
-Zak
*Zak Blacher*
Software Engineer
Security Infrastructure
206.453.9955
zblacher at linkedin.com
linkedin.com/in/zakblacher
On Wed, Jan 13, 2016 at 2:44 PM, Viktor Dukhovni via RT <rt at openssl.org>
wrote:
> On Wed, Jan 13, 2016 at 06:58:14PM +0000, Zak Blacher via RT wrote:
>
> > I've found an inconsistency in the return status of 'openssl verify'.
> I've
> > attached a custom dummy ca, and an example certificate. This certificate
> is
> > valid for some date range in the future.
> >
> > On my redhat machine (openssl 1.0.1e), running openssl verify will
> return a
> > status code of 2, but in osx (openssl 0.98zg), the return status is 0. In
> > both cases, I correctly see an error 9 in the function output.
> >
> > The behavior of validating an expired certificate returns a status code
> of
> > 0 on both systems.
>
> Yes, certain errors were ignored in verify(1), allowing chain
> verification to continue, but should have been noted at the end.
>
> I have a fix for the master release pending review, should appear
> in 1.1.0 alpha2 if it gets reviewed today.
>
> Backports to 1.0.1 and 1.0.2 later if deemed appropriate. 0.9.8
> and 1.0.0 are EOL, so they'll not get fixed.
>
> --
> Viktor.
>
>
>
More information about the openssl-dev
mailing list