Reproduced the bug with:
# dpkg-query -W libssl1.0.0 openssl libssl1.0.0:amd64 1.0.2g-1ubuntu4.19 openssl 1.0.2g-1ubuntu4.19
# openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile ca.pem verify depth is 1 CONNECTED(00000003) depth=3 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3 verify error:num=10:certificate has expired notAfter=Jan 30 14:01:15 2021 GMT 140540576667288:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:
# upgrading
# dpkg-query -W libssl1.0.0 openssl libssl1.0.0:amd64 1.0.2g-1ubuntu4.20 openssl 1.0.2g-1ubuntu4.20
# # openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile ca.pem verify depth is 1 CONNECTED(00000003) depth=2 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1 verify return:1 depth=1 C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3 verify return:1 depth=0 CN = expired-root-ca-test.germancoding.com verify return:1 --- Certificate chain 0 s:/CN=expired-root-ca-test.germancoding.com i:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3 1 s:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3 i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1 2 s:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1 i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Doctored Durian Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIGgTCCBWmgAwIBAgITAPqeXD5BcpT3tXI8aoDSYano7DANBgkqhkiG9w0BAQsF
....
connection is successful.
Reproduced the bug with:
# dpkg-query -W libssl1.0.0 openssl
libssl1.0.0:amd64 1.0.2g-1ubuntu4.19
openssl 1.0.2g-1ubuntu4.19
# openssl s_client -connect expired- root-ca- test.germancodi ng.com: 443 -servername expired- root-ca- test.germancodi ng.com -verify 1 -verifyCAfile ca.pem 10:certificate has expired :error: 14090086: SSL routines: ssl3_get_ server_ certificate: certificate verify failed: s3_clnt. c:1264:
verify depth is 1
CONNECTED(00000003)
depth=3 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
verify error:num=
notAfter=Jan 30 14:01:15 2021 GMT
140540576667288
# upgrading
# dpkg-query -W libssl1.0.0 openssl
libssl1.0.0:amd64 1.0.2g-1ubuntu4.20
openssl 1.0.2g-1ubuntu4.20
# # openssl s_client -connect expired- root-ca- test.germancodi ng.com: 443 -servername expired- root-ca- test.germancodi ng.com -verify 1 -verifyCAfile ca.pem root-ca- test.germancodi ng.com root-ca- test.germancodi ng.com US/O=(STAGING) Let's Encrypt/ CN=(STAGING) Artificial Apricot R3 CN=(STAGING) Artificial Apricot R3 US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1 US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Doctored Durian Root CA X3 BAgITAPqeXD5Bcp T3tXI8aoDSYano7 DANBgkqhkiG9w0B AQsF
verify depth is 1
CONNECTED(00000003)
depth=2 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
verify return:1
depth=1 C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
verify return:1
depth=0 CN = expired-
verify return:1
---
Certificate chain
0 s:/CN=expired-
i:/C=
1 s:/C=US/O=(STAGING) Let's Encrypt/
i:/C=
2 s:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1
i:/C=
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGgTCCBWmgAwI
....
connection is successful.