There may be an issue with incorrect validation of expiry dates

Question

There may be an issue with incorrect validation of expiry dates

Closed this issue 3 months ago · 5 comments

When I used Libressl for certificate validation, I discovered that Libressl had incorrectly passed an expired digital certificate. Is this a bug here？Or do I have some misunderstandings on openssl in its parsing or verification procedure?
The command I used is:
openssl verify -CAfile root.pem leaf.pem
The validation results：
ok
Perhaps there was a mistake in my operation?

Answer 1 · 2023-03-29T08:47:05.000Z

That's not really expected but hard to tell without additional details. What version of LibreSSL are you using? Can you share the certificates in question?

Answer 2 · 2023-03-30T14:46:46.000Z

Here is the certificate file I used, and the version number is 3.4.1
leaf.txt
root.txt

Answer 3 · 2023-04-23T16:59:36.000Z

@ydgydg can you try with a more recent version of LibreSSL? I cannot reproduce:

$ openssl verify -CAfile root.pem leaf.pem
C = CN, ST = TJ5, L = TJ, O = TJU, OU = beiyangyuan, CN = LQL, emailAddress = ljfpower@163.com
error 20 at 0 depth lookup:unable to get local issuer certificate
leaf.pem: verification failed: 20 (unable to get local issuer certificate)

$ openssl version
LibreSSL 3.7.2

Answer 4 · 2023-04-24T01:43:18.000Z

OK, I'll try it as you suggest

Answer 5 · 2024-03-25T12:31:30.000Z

Closing due to there being no further response. Please reopen if this is still an issue.