openssl 1.0 vs 1.1 s_client verify CA cert expiration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello there

I support an app stack over here and a short time ago one of the devs contacted me saying
that they were getting some SSL cert errors connecting to a server.

Investigating things it turns out to be the Let's encrypt CA cert expiration that happened recently, that server is managed by someone else so they are trying to
get them to fix it.

While investigating I saw some strange behavioral differences between OpenSSL 1.0 and
1.1 specifically regarding checking of the CA cert.

If I run this on OpenSSL 1.0.2g (Ubuntu 16.04)

openssl s_client -connect bad_server_name:443 -servername bad_server_name
(the server in question uses SNI)

I get at the end a clear:
Verify return code: 10 (certificate has expired)

If I run on the same OpenSSL:

openssl s_client -connect bad_server_name:443 -servername bad_server_name | openssl x509 -noout -dates

I get these dates:
notAfter=Sep 30 14:01:15 2021 GMT
notBefore=Aug 31 17:59:09 2021 GMT
notAfter=Nov 29 17:59:08 2021 GMT

Which clearly shows the expired cert.

If I try the same on OpenSSL 1.1.1f (Ubuntu 20.04), I get only the server cert
not the CA cert dates:
notBefore=Aug 31 17:59:09 2021 GMT
notAfter=Nov 29 17:59:08 2021 GMT

Also on the first command there is no error saying the cert is expired on OpenSSL 1.1.1f

additional differences it seems 1.1.1f defaults to a verify depth of 2 and 1.0.2g goes at least
to 3 (perhaps more).

If I add -verify 3 to 1.1.1f to connect the first bit of output is:
verify depth is 3
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
(even if I set verify depth to 10 it doesn't report anything higher than the cert above)

However on 1.0.2g I get this as the first bit of output:
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired

Can someone point me to the syntax for 1.1.1f that would get it to verify the CA? Or is this
a bug (maybe already fixed in a newer version not sure).

I am unsure why Let's encrypt would allow any certs to be signed with a CA cert that was about to expire(especially given their low cert expiration times) but that's their
issue.

thanks

nate



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux