Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired]

Andrea Venturoli ml at netfence.it
Fri Jun 5 15:08:42 UTC 2020


On 2020-06-01 00:16, Garance A Drosehn wrote:

> There is a cert from AddTrust which expired early on Saturday.  I
> believe it was the cert for certificate-authority named USERTrust RSA.
> This shouldn't have been a problem, because there is a newer cert for
> that same CA which has not expired.
> 
> I do not understand all the details, but apparently there is a bug in
> versions of OpenSSL which are older than version 1.1.  If the older
> (now-expired) cert is known on some system, it is used instead of the
> newer cert.  And therefore that cert, and every cert which was generated
> by that CA is also considered invalid.  This problem hit us at RPI on
> many Redhat systems yesterday.
> 
> I also saw the problem in Mail.app on some of my older MacOS systems,
> but Mail.app does not have this problem on MacOS catalina.

I can see it too, on many sites.

E.g.
"openssl s_client -connect www.allmusic.com:https" passes verification 
on 12.1, but fails on 11.3.

Deleting the expired certificate from /etc/ssl/cert.pem is enough to 
solve the problem.

Is anyone looking into this?
What is the official position/suggestion for those stuck on 11.x?
Has at least a bug been reported?

  bye & Thanks
	av.


More information about the freebsd-questions mailing list