There may be an issue with incorrect validation of expiry dates
Closed this issue · 5 comments
ydgydg commented
When I used Libressl for certificate validation, I discovered that Libressl had incorrectly passed an expired digital certificate. Is this a bug here?Or do I have some misunderstandings on openssl in its parsing or verification procedure?
The command I used is:
openssl verify -CAfile root.pem leaf.pem
The validation results:
ok
Perhaps there was a mistake in my operation?
botovq commented
That's not really expected but hard to tell without additional details.
What version of LibreSSL are you using? Can you share the certificates
in question?
ydgydg commented
job commented
@ydgydg can you try with a more recent version of LibreSSL? I cannot reproduce:
$ openssl verify -CAfile root.pem leaf.pem
C = CN, ST = TJ5, L = TJ, O = TJU, OU = beiyangyuan, CN = LQL, emailAddress = ljfpower@163.com
error 20 at 0 depth lookup:unable to get local issuer certificate
leaf.pem: verification failed: 20 (unable to get local issuer certificate)
$ openssl version
LibreSSL 3.7.2
llmlla commented
OK, I'll try it as you suggest
joshuasing commented
Closing due to there being no further response. Please reopen if this is still an issue.