You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenSSL introduced a tiny BC-break between v1.0.2 and v1.1.x: command fails when validating an expired leaf certificate (unless the flag -no_check_time is passed):
# v1.0.2
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup:certificate has expired
OK
# v1.1.1
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup: certificate has expired
error leaf.pem: verification failed
$ openssl verify -no_check_time -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: OK
In the production flow this shouldn't be a problem but when executing integration tests using a fixed token (with expired certs in the signature) with recent versions of OpenSSL the process fails - you can test that by running the example script in this repo =)
My suggestion is to have an alternative implementation of the OpenSslService to be used for tests, which would verify the openssl version and add the flag.
What are your thoughts?
The text was updated successfully, but these errors were encountered:
OpenSSL introduced a tiny BC-break between v1.0.2 and v1.1.x: command fails when validating an expired leaf certificate (unless the flag
-no_check_time
is passed):In the production flow this shouldn't be a problem but when executing integration tests using a fixed token (with expired certs in the signature) with recent versions of OpenSSL the process fails - you can test that by running the example script in this repo =)
My suggestion is to have an alternative implementation of the
OpenSslService
to be used for tests, which would verify the openssl version and add the flag.What are your thoughts?
The text was updated successfully, but these errors were encountered: