<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>定平袁 you are welcome.<br>
</p>
<p>The OpenSSL version you are using is way too old!<br>
Do not use version 1.1.0, 1.0.x, and anything older - those
versions are unsupported and must be considered insecure.</p>
<p>Yet since both your old and new server cert are not expired and
have the same subject, keyIdentifier, and serial number,<br>
and you appended the new server cert to your list, it is no
surprise that the certificate chain building algorithm will pick
up the old one.<br>
For efficiency reasons, no other (equally applicable) certificates
will be tried.<br>
I've just clarified this and some further details in <a
moz-do-not-send="true"
href="https://github.com/openssl/openssl/pull/13735">https://github.com/openssl/openssl/pull/13735</a>.</p>
<p>I think Michael Wojcik already gave the right hint to solve your
problem two days before:<br>
</p>
<p>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Why are you appending it to the file containing the existing certificate?</pre>
</blockquote>
</p>
<p>So I suggest you better prepend the new certificate to that file
rather than appending it,<br>
or even better, remove the old (non-matching) certificate from
that file.</p>
<p>Hope this helps,</p>
<p> David</p>
<p><br>
P.S.: I will be unavailable for several days, too.<br>
<br>
</p>
<div class="moz-cite-prefix">On 23.12.20 04:15, 定平袁 wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABYODQ-iUOs5d=tAuZkvNAaCQFW0u4J_Qp9Lf8A_6cVzvYD5Cg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>@David Thanks for you help!</div>
<div>This is my openssl version, and the self compiled curl
backend<br>
</div>
<div>```</div>
<div>$ openssl version<br>
OpenSSL 1.0.2g 1 Mar 2016</div>
<div><br>
</div>
<div>$ ldd /usr/bin/openssl |grep ssl<br>
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f3099799000)</div>
<div><br>
</div>
<div>$ ldd ./lib/.libs/libcurl.so |grep ssl<br>
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f8720fd4000)</div>
<div>```</div>
<div>the system built-in curl binary:</div>
<div>```</div>
<div>$ ldd /usr/bin/curl |grep tls<br>
libcurl-gnutls.so.4 =>
/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4
(0x00007f4b7fa07000)<br>
libgnutls.so.30 =>
/usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f4b7e851000)</div>
<div>```<br>
</div>
<div>Actually, the old cert and new cert both are not expired
yet, just the old cert is not consistent with server side. The
new cert has the same content with server side imported
cert(after replaced).<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">David von Oheimb <<a
href="mailto:dev@ddvo.net" moz-do-not-send="true">dev@ddvo.net</a>>
于2020年12月22日周二 下午10:27写道:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>@定平袁, which version of OpenSSL are you using?<br>
<br>
I've just checked: since OpenSSL 1.1.0, expired
certificates are effectively not used for chain building.</p>
<p> David<br>
</p>
<div>On 20.12.20 02:02, 定平袁 wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>the exact behavior:</div>
<div><br>
</div>
<div><span>When looking up CA certificates, the OpenSSL
library will first search the certificates in<span> </span></span><b>CAfile</b><span>,
then those in<span> </span></span><b>CApath</b><span>.
Certificate matching is done based on the subject
name, the key identifier (if present), and the
serial number as taken from the certificate to be
verified. If these data do not match, the next
certificate will be tried. If a first certificate
matching the parameters is found, the verification
process will be performed; no other certificates for
the same parameters will be searched in case of
failure.</span></div>
<div><span><br>
</span></div>
<div><span>why no other certificates for the same
parameters will be searched?</span></div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">定平袁 <<a
href="mailto:pkudingping@gmail.com" target="_blank"
moz-do-not-send="true">pkudingping@gmail.com</a>>
于2020年12月20日周日 上午8:59写道:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><span
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;display:inline;float:none">Hello
everyone,</span>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Recently
I am trying to rotate a cert, and the client uses
python requests lib, which leverages openssl. Here
is my steps:</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">1.
Generate a new cert, and append it to the cert
file(at this point, there are 2 certs in the file,
first is old cert, second is new, they have the
same Subject), restart client side process, (no
problem here, because first cert matching server
side cert, and it verifies successfully)</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">2.
Replace server side with new cert.</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">As
soon as I issue step #2, the client side process
starts to show error “<span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:11.998px;letter-spacing:-0.07px;white-space:pre-wrap;background-color:rgba(9,30,66,0.08)">certificate verify failed</span>”.
This would cause downtime to my apps. I am new to
this, not sure if there is anything wrong
regarding my usage or understanding. But I found
this page <span></span><a
href="https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html"
target="_blank" moz-do-not-send="true">https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html</a><span>,
it says the exact behavior like my test:</span></div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span><br>
</span></div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span><span>If
several CA certificates matching the name, key
identifier, and serial number condition are
available, only the first one will be
examined. This may lead to unexpected results
if the same CA certificate is available with
different expiration dates. If a "certificate
expired" verification error occurs, no other
certificate will be searched. Make sure to not
have expired certificates mixed with valid
ones.</span></span></div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span><br>
</span></div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span>So
I am wondering how to rotate cert in such a
case? It would be very helpful if anyone could
help on this. Thanks.<br>
</span></div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">BTW,
I tested the same cert file with CURL (compiled
with gnutls), it works fine.<br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Regards</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Dingping</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>