[BUG ] Intermediate cert validity incomplete

Question

[BUG ] Intermediate cert validity incomplete

Closed this issue 5 months ago · 3 comments

Before you open an issue please check which version you are running and whether it is the latest in stable / dev branch

I am running version 3.2.0 from https://testssl.sh/

Before you open an issue please whether this is a known problem by searching the issues

couldn't find anything

Command line / docker command to reproduce

testssl.sh -S google.com

Expected behavior

Intermediate cert validity should show complete chain with root ca.
Did work on 3.2RC3

testssl.sh version 3.2rc3 from https://testssl.sh/dev/

Intermediate cert validity
#1: ok > 40 days (2029-02-20 14:00). WE2 <-- GTS Root R4
#2: ok > 40 days (2028-01-28 00:00). GTS Root R4 <-- GlobalSign Root CA

Dose not work anymore on 3.2 Stable
Root CA information is missing (GlobalSign Root CA)

testssl.sh version 3.2.0 from https://testssl.sh/

Intermediate cert validity
#1: ok > 40 days (2029-02-20 14:00). WE2 <-- GTS Root R4
#2: ok > 40 days (2028-01-28 00:00). GTS Root R4 <--

Other example (substance3d.adobe.com):

testssl.sh version 3.2rc3 from https://testssl.sh/dev/

Intermediate cert validity
#1: ok > 40 days (2031-03-29 23:59). DigiCert Global G2 TLS RSA SHA256 2020 CA1 <-- DigiCert Global Root G2
#2: ok > 40 days (2038-01-15 12:00). DigiCert Global Root G2 <-- DigiCert Global Root G2

Dose not work anymore on 3.2 Stable
Root CA information is missing (GlobalSign Root CA)

testssl.sh version 3.2.0 from https://testssl.sh/

Intermediate cert validity
#1: ok > 40 days (2031-03-29 23:59). DigiCert Global G2 TLS RSA SHA256 2020 CA1 <--
#2: ok > 40 days (2038-01-15 12:00).  <--

Your system (please complete the following information):

OS: Ubuntu 22.04.5 LTS
Platform: Linux 6.8.0-1020-azure x86_64
OpenSSL + bash: Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] Using bash 5.1.16

Answer 1 · 2025-06-10T18:24:32.000Z

Thanks, can confirm it. Will be fixed shortly

Answer 2 · 2025-06-11T07:13:13.000Z

PR will be merged when github action succeeds. Seems for some certificates the number of entries in the DN was unexpectedly high so that the CN wasn't caught. The bug was introduced when the parser was tried to make that more LibreSSL compatible.

Thanks for filing the issue!

Answer 3 · 2025-06-11T08:19:12.000Z

Great, Thank you for the quick processing