Darn, and I was hoping to be able to patch it myself :) -Zak
*Zak Blacher* Software Engineer Security Infrastructure 206.453.9955 [email protected] linkedin.com/in/zakblacher On Wed, Jan 13, 2016 at 2:44 PM, Viktor Dukhovni via RT <[email protected]> wrote: > On Wed, Jan 13, 2016 at 06:58:14PM +0000, Zak Blacher via RT wrote: > > > I've found an inconsistency in the return status of 'openssl verify'. > I've > > attached a custom dummy ca, and an example certificate. This certificate > is > > valid for some date range in the future. > > > > On my redhat machine (openssl 1.0.1e), running openssl verify will > return a > > status code of 2, but in osx (openssl 0.98zg), the return status is 0. In > > both cases, I correctly see an error 9 in the function output. > > > > The behavior of validating an expired certificate returns a status code > of > > 0 on both systems. > > Yes, certain errors were ignored in verify(1), allowing chain > verification to continue, but should have been noted at the end. > > I have a fix for the master release pending review, should appear > in 1.1.0 alpha2 if it gets reviewed today. > > Backports to 1.0.1 and 1.0.2 later if deemed appropriate. 0.9.8 > and 1.0.0 are EOL, so they'll not get fixed. > > -- > Viktor. > > > _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
