openssl: Test certificates will expire soon

While working on reproducible builds for openSUSE, some tests fail with expired certificates when setting the build date after 2022-06-01. Originally reported by Bernhard Wiedemann in openSUSE bugzilla. See also:

for cert in `find test -name \*pem` ; do openssl x509 -text < $cert | grep After |grep 2022 && echo $cert ; done 2>&1 |grep -A1 2022
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/D1_Issuer_ICA.pem
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/ISIC_D1_Issuer_ICA.pem
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/WSNIC_D1_Issuer_ICA.pem
            Not After : Apr 13 10:00:00 2022 GMT
test/ocsp-tests/WKIC_D1_Issuer_ICA.pem
            Not After : Jun  1 00:00:00 2022 GMT
test/certs/embeddedSCTs1_issuer.pem
            Not After : Jun  1 00:00:00 2022 GMT
test/certs/embeddedSCTs1.pem

The verbose ouput of test 80-test_ssl_new.t shows:

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO:  @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 139919277639040:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 2 - iteration 2

Since the expiring date is a year from now, could you update these certificates?

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 1
Comments: 18 (10 by maintainers)

Links to this issue

Can't install ruby via rvm, Error running '__rvm_make -j4' on ubuntu 22.04 - Stack Overflow

Commits related to this issue

Update expired SCT issuer certificate Fixes #15179 — committed to t8m/openssl by t8m 2 years ago
Update expired SCT issuer certificate Fixes #15179 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pul... — committed to openssl/openssl by t8m 2 years ago
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms and the SM2 certificates will expire soon and affect tests. Fixes #15179 — committed to t8m/openssl by t8m 2 years ago
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms and the SM2 certificates will expire soon and affect tests. Fixes #15179 Reviewed-by: Dmitry Be... — committed to openssl/openssl by t8m 2 years ago
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms will expire soon and affect tests. Fixes #15179 — committed to t8m/openssl by t8m 2 years ago
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms will expire soon and affect tests. Fixes #15179 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.c... — committed to openssl/openssl by t8m 2 years ago
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms will expire soon and affect tests. Fixes #15179 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.c... — committed to open-quantum-safe/openssl by t8m 2 years ago
openssl test cert update (#373) * Update further expiring certificates that affect tests Namely the smime certificates used in test_cms will expire soon and affect tests. Fixes #15179 Revie... — committed to open-quantum-safe/openssl by baentsch 2 years ago
Squashed commit of the following: commit 8aaca20cf9996257d1ce2e6f4d3059b3698dde3d Author: Matt Caswell <matt@openssl.org> Date: Tue Jun 21 14:39:39 2022 +0100 Prepare for 1.1.1p release R... — committed to ituglib/openssl by rsbeckerca 2 years ago
Squashed commit of the following: commit 29708a562a1887a91de0fa6ca668c71871accde9 Author: Richard Levitte <levitte@openssl.org> Date: Tue Jul 5 11:08:33 2022 +0200 Prepare for 1.1.1q release ... — committed to ituglib/openssl by rsbeckerca 2 years ago
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms and the SM2 certificates will expire soon and affect tests. Fixes #15179 Reviewed-by: Dmitry Be... — committed to sftcd/openssl by t8m 2 years ago
Squashed commit of the following: commit 6fd6179191702eb0562ccbfb22a37405c669b90e Author: Randall S. Becker <randall.becker@nexbridge.ca> Date: Tue Jul 5 17:50:13 2022 -0400 Missed include on ... — committed to ituglib/openssl by rsbeckerca 2 years ago
Squashed commit of the following: commit 1b3fb89163127047b0f99412b8a31522215b3bea Author: Randall S. Becker <rsbecker@nexbridge.com> Date: Tue Oct 11 11:17:39 2022 -0600 Squashed commit of the... — committed to ituglib/openssl by rsbeckerca 2 years ago
Update further expiring certificates that affect tests Namely the smime certificates used in test_cms and the SM2 certificates will expire soon and affect tests. Fixes #15179 Reviewed-by: Dmitry Be... — committed to tmshort/openssl by t8m 2 years ago
Update expired SCT issuer certificate Fixes #15179 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pul... — committed to tmshort/openssl by t8m 2 years ago
Squashed commit of the following: commit 44ea69d6aadbbf9b951335e5ed296eed019e9ffe Author: Randall S. Becker <rsbecker@nexbridge.com> Date: Wed Nov 2 12:49:30 2022 -0600 Squashed commit of the ... — committed to ituglib/openssl by rsbeckerca a year ago
Merged OpenSSL 1.1.1u with ituglib_release commit 65be16881b71f4d66c77664775c93340a7b89c6d Author: Randall S. Becker <rsbecker@nexbridge.com> Date: Tue Feb 7 09:13:22 2023 -0700 Squashed commi... — committed to ituglib/openssl by rsbeckerca a year ago
Update expiring certificates that affect tests Namely the smime certificates used in test_cms will expire soon and affect tests. Fixes #15179 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by:... — committed to mattcaswell/openssl by t8m 2 years ago

Most upvoted comments

The setup.sh script (via mkcert) defaults to generating 100-year certs. If some certs in the test-suite are not expiring the early 2100’s, they were generated outside those scripts, which perhaps presently don’t have support for creating certs with SCTs, but that could perhaps be added.

In any case, if new test certs are created, they should have ridiculously long expiration times, so that if QCs some day obsolete RSA, ECDSA, … it’ll be well before these certs expire…

vdukhovni on Sep 5, 2021