OpenSSL 1.1.1h not detecting expired certs

[Paul Smith]

On Sun, 2020-11-01 at 11:16 -0500, Paul Smith wrote:
> Does anyone have any ideas about what I might check to figure out
> what's happening here?  The release notes discuss enabling
> MinProtocol and MaxProtocol; I do not use these and in fact I don't
> invoke SSL_CONF_*() at all.  Is this an issue?  Should I do this?

Hm.

OK, I checked my code and I wasn't using SSL_CONF_*(), but I was using
this after I created my SSL_CTX:

    _ctxt = SSL_CTX_new(TLS_method());
    SSL_CTX_set_min_proto_version(_ctxt, TLS1_2_VERSION);

Does that no longer work properly for some reason?

If I replace the above with this:

    _ctxt = SSL_CTX_new(TLS_method());
    SSL_CONF_CTX* cctxt = SSL_CONF_CTX_new();
    SSL_CONF_CTX_set_ssl_ctx(cctxt, _ctxt);
    SSL_CONF_cmd(cctxt, "MinProtocol", "TLSv1.2");

Now it works.

Is this a bug?  Or was I just never using the interface properly?

If I switch to the new method of configuration, it's not clear to me
whether or not I need to preserve the SSL_CONF_CTX structure after the
above code bit, as long as the SSL_CTX is there, or if I can free it
immediately afterward.

Based on the way it's used it seems like it only needs to exist as long
as I need to configure the SSL_CTX, then it can go away and the SSL_CTX
can live on.