OpenSSL 1.1.1h not detecting expired certs

Viktor Dukhovni openssl-users at
Sun Nov 1 20:27:04 UTC 2020

On Sun, Nov 01, 2020 at 11:16:24AM -0500, Paul Smith wrote:

> I have a test in my test suite that constructs an expired self-signed
> cert and attempts to use it to connect to the server.  When I link my
> server with OpenSSL 1.1.1g, it is detected properly and I see in the
> log (this is a construct of various openssl error info):
>   SSL_accept failed: error:14094415:SSL routines:ssl3_read_bytes:sslv3
>     alert certificate expired::0:SSL alert number 45

Just to make sure I've understood you correctly, the certificate in
question is used as a client certificate, right?  And the server is
both soliciting and *requiring* client certificates?

What software is the client using?  Is the (partly) negotiated protocol
TLS 1.2 or TLS 1.3?

If the client uses some random self-signed certificate, why does it
matter whether it is expired or not?  It is untrusted regardless...  Or
is the server configured to explicitly trust this self-signed
certificate, but you want to do that only until "expiration"?

What verify callback, if any, are you using in your server?

> If I leave EVERYTHING the same about my environment and re-link the
> server with OpenSSL 1.1.1h instead (just re-linking the binaries with a
> new static libssl libcrypto), then this expired certificate is no
> longer detected by the server and the connection succeeds.

It would be helpful if you posted the client public certificate (no need
for the private key).  Details of its construction can affect the
verification failure mode.


More information about the openssl-users mailing list