TLS Alert response when certificate is not yet valid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

TLS Alert response when certificate is not yet valid

Doug Smith
Developers,

Is openssl sending the correct TLS alert message when certificate validation fails due to the received certificate being not yet valid?

During TLS authentication, if certificate validation fails, a TLS alert is sent.
If the received certificate has expired, AlertDescription certificate_expired(45) is being sent.
If the received certificate is not yet valid, AlertDescription bad_certificate(42) is being sent.

However, the TLS1.0 specification certificate_expired description appears to apply to the "not yet valid" case as well.
From the TLS1.0 specification (RFC2246, clause 7.2.2 Error Alerts):
   "certificate_expired
       A certificate has expired or is not currently valid."

When certificate validation fails due to the certificate being not yet valid, should openssl be modified to send a TLS alert certificate_expired(45)?

From a network administrator perspective, this change would also group the date/time issues to the same TLS alert, assisting in identifying connection issues.

Apologies if this issue has already been raised in the past.

Regards,
Doug

PS:
Observed with openssl-1.0.2k, using wpa_supplicant connecting to a freeradius server.
See also the openssl code: ssl_verify_alarm_type() in trunk: <ssl/ssl_statem/statem_lib.c> or 1.0.2k:<ssl/s3_both.c>.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev