Date: Fri, 5 Jun 2020 17:08:30 +0200 From: Andrea Venturoli <ml@netfence.it> To: freebsd-questions@freebsd.org Subject: Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired] Message-ID: <247ae2fd-a7e8-146b-be43-47ca247cca10@netfence.it> In-Reply-To: <E8FACC8D-7BE7-4A59-ACE1-65CAFFD24715@rpi.edu> References: <5e1a71cd-6837-47f1-b485-c583550db48a@unixarea.de> <E8FACC8D-7BE7-4A59-ACE1-65CAFFD24715@rpi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-06-01 00:16, Garance A Drosehn wrote: > There is a cert from AddTrust which expired early on Saturday. I > believe it was the cert for certificate-authority named USERTrust RSA. > This shouldn't have been a problem, because there is a newer cert for > that same CA which has not expired. > > I do not understand all the details, but apparently there is a bug in > versions of OpenSSL which are older than version 1.1. If the older > (now-expired) cert is known on some system, it is used instead of the > newer cert. And therefore that cert, and every cert which was generated > by that CA is also considered invalid. This problem hit us at RPI on > many Redhat systems yesterday. > > I also saw the problem in Mail.app on some of my older MacOS systems, > but Mail.app does not have this problem on MacOS catalina. I can see it too, on many sites. E.g. "openssl s_client -connect www.allmusic.com:https" passes verification on 12.1, but fails on 11.3. Deleting the expired certificate from /etc/ssl/cert.pem is enough to solve the problem. Is anyone looking into this? What is the official position/suggestion for those stuck on 11.x? Has at least a bug been reported? bye & Thanks av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?247ae2fd-a7e8-146b-be43-47ca247cca10>