[Interest] SSL & Let's Encrypt certificate expiration
Thorsten Glaser
t.glaser at tarent.de
Thu Oct 7 14:19:28 CEST 2021
On Thu, 7 Oct 2021, Christophe THOMAS wrote:
> So without the flag OpenSSL would use another store ? One located
> locally or embedded inside OpenSSL?
No. If you look at the patch, the flag merely enables that, for
any certificate encountered, it first looks whether the Issuer
is found in the local root certificate store, and if so, that’s
it, chain accepted.
Without this, it first traverses the chain up to *its* root,
which here is the expired X3, because the X1-signed-by-X3 is
in the chain.
With this, it sees R3-signed-by-X1 and X1 is in the local trust
store, so it stops verifying there.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
More information about the Interest
mailing list