OpenSSL v1.1.x upgrade impact on testability

[lcobucci]

OpenSSL introduced a tiny BC-break between v1.0.2 and v1.1.x: command fails when validating an expired leaf certificate (unless the flag -no_check_time is passed):

# v1.0.2
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup:certificate has expired
OK

# v1.1.1
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup: certificate has expired
error leaf.pem: verification failed

$ openssl verify -no_check_time -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: OK

In the production flow this shouldn't be a problem but when executing integration tests using a fixed token (with expired certs in the signature) with recent versions of OpenSSL the process fails - you can test that by running the example script in this repo =)

My suggestion is to have an alternative implementation of the OpenSslService to be used for tests, which would verify the openssl version and add the flag.

What are your thoughts?