Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired]
Andrea Venturoli
ml at netfence.it
Fri Jun 5 15:08:42 UTC 2020
On 2020-06-01 00:16, Garance A Drosehn wrote:
> There is a cert from AddTrust which expired early on Saturday. I
> believe it was the cert for certificate-authority named USERTrust RSA.
> This shouldn't have been a problem, because there is a newer cert for
> that same CA which has not expired.
>
> I do not understand all the details, but apparently there is a bug in
> versions of OpenSSL which are older than version 1.1. If the older
> (now-expired) cert is known on some system, it is used instead of the
> newer cert. And therefore that cert, and every cert which was generated
> by that CA is also considered invalid. This problem hit us at RPI on
> many Redhat systems yesterday.
>
> I also saw the problem in Mail.app on some of my older MacOS systems,
> but Mail.app does not have this problem on MacOS catalina.
I can see it too, on many sites.
E.g.
"openssl s_client -connect www.allmusic.com:https" passes verification
on 12.1, but fails on 11.3.
Deleting the expired certificate from /etc/ssl/cert.pem is enough to
solve the problem.
Is anyone looking into this?
What is the official position/suggestion for those stuck on 11.x?
Has at least a bug been reported?
bye & Thanks
av.
More information about the freebsd-questions
mailing list