-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509.has_expired() returns wrong value on OS X / OpenSSL 1.0.2 #192
Comments
It looks like the return value of the call to ASN1_UTCTIME_cmp_time_t returns -2 which is an error condition. The function changed in this commit: openssl/openssl@46a6cec According to the OpenSSL changelog, it was added after 1.0.1k and landed in the 1.0.2 release. |
This is no longer an issue with OpenSSL 1.0.2a (the bug occurred in 1.0.2). |
So it seems as if there’s still some problem here. On 1.0.2d, I’ve glanced over OpenSSL and googled it but couldn’t find anything helpful related to it. The certificated used in the test FWIW expires in 2017… |
Seems like there’s no less than three reasons why |
To be clear, this seems to be a bug from us because we use the function wrong? Could it be related to #311? |
gm_time_adj (which is used in this test) properly does UTCTIME vs GENERALIZEDTIME so that's not the issue here (although the unconditional use of UTCTIME is incorrect). I'm looking into this a bit more. |
I'm putting this here to track down some weird behavior I'm seeing when I was testing the verify-chain branch.
pyOpenSSL: 0.14
cryptography: 0.7.2
Test fails on: OpenSSL: 1.0.2 22 Jan 2015 (Homebrew OpenSSL)
Test passes on: OpenSSL: 0.9.8zc 15 Oct 2014 (OS X 10.10.2 OpenSSL)
The text was updated successfully, but these errors were encountered: