OpenSSL introduced a tiny BC-break between v1.0.2 and v1.1.x: command fails when validating an expired leaf certificate (unless the flag -no_check_time is passed):
# v1.0.2
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup:certificate has expired
OK
# v1.1.1
$ openssl verify -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
CN = ecc-smp-broker-sign_UC4-SANDBOX, OU = iOS Systems, O = Apple Inc., C = US
error 10 at 0 depth lookup: certificate has expired
error leaf.pem: verification failed
$ openssl verify -no_check_time -CAfile apple-root-ca.pem -untrusted intermediate.pem leaf.pem
leaf.pem: OK
In the production flow this shouldn't be a problem but when executing integration tests using a fixed token (with expired certs in the signature) with recent versions of OpenSSL the process fails - you can test that by running the example script in this repo =)
My suggestion is to have an alternative implementation of the OpenSslService to be used for tests, which would verify the openssl version and add the flag.
OpenSSL introduced a tiny BC-break between v1.0.2 and v1.1.x: command fails when validating an expired leaf certificate (unless the flag
-no_check_timeis passed):In the production flow this shouldn't be a problem but when executing integration tests using a fixed token (with expired certs in the signature) with recent versions of OpenSSL the process fails - you can test that by running the example script in this repo =)
My suggestion is to have an alternative implementation of the
OpenSslServiceto be used for tests, which would verify the openssl version and add the flag.What are your thoughts?