[tialaramex]

This item from their change list:

> Use non-expired certificates first when building a certificate chain.

.. Is relevant to the recent expiry of Sectigo's old "AddTrust" root. If your library cheerfully assembles a trust path with the expired root and then concludes the certificate isn't valid because the root is expired you're pointlessly inconvenienced compared to a library that can use the same raw materials to discover a working trust path with no expired certificates.

[notaplumber]

Yes.

https://github.com/libressl-portable/portable/issues/595#iss...

[user5994461]

Would be nice to patch openssl and python to skip expired certificates too when there is a newer one available.

[mperham]

I believe this was fixed in openssl 1.1.1 but there are millions of devices still on 1.0.x

[EdwardDiego]

Yeah, we're seeing it in coworkers still running OSX Mojave (albeit with older LibreSSL instead of OpenSSL) using the default curl. Catalina users seem okay though.