OpenSSL 1.1.1h not detecting expired certs

Paul Smith paul at
Sun Nov 1 16:16:24 UTC 2020

I have a server linked (statically) with OpenSSL 1.1.1g (GNU/Linux,
64bit).  I built everything myself, I'm not using any system libraries.

I have a test in my test suite that constructs an expired self-signed
cert and attempts to use it to connect to the server.  When I link my
server with OpenSSL 1.1.1g, it is detected properly and I see in the
log (this is a construct of various openssl error info):

  SSL_accept failed: error:14094415:SSL routines:ssl3_read_bytes:sslv3
    alert certificate expired::0:SSL alert number 45

If I leave EVERYTHING the same about my environment and re-link the
server with OpenSSL 1.1.1h instead (just re-linking the binaries with a
new static libssl libcrypto), then this expired certificate is no
longer detected by the server and the connection succeeds.

To be sure I also tried recompiling with the 1.1.1h headers and see the
same behavior.

I can see that the expiration date is indeed wrong:

  $ openssl x509 -enddate -noout -in expired/trustStore.pem
  notAfter=Oct 27 15:58:50 2020 GMT

but this is not noticed by my server.

Does anyone have any ideas about what I might check to figure out
what's happening here?  The release notes discuss enabling MinProtocol
and MaxProtocol; I do not use these and in fact I don't invoke
SSL_CONF_*() at all.  Is this an issue?  Should I do this?

More information about the openssl-users mailing list