Developers,
Is openssl sending the correct TLS alert message when certificate validation fails due to the received certificate being not yet valid?
During TLS authentication, if certificate validation fails, a TLS alert is sent.
If the received certificate has expired, AlertDescription certificate_expired(45) is being sent.
If the received certificate is not yet valid, AlertDescription bad_certificate(42) is being sent.
However, the TLS1.0 specification certificate_expired description appears to apply to the "not yet valid" case as well.
From the TLS1.0 specification (RFC2246, clause 7.2.2 Error Alerts):
"certificate_expired
A certificate has expired or is not currently valid."
When certificate validation fails due to the certificate being not yet valid, should openssl be modified to send a TLS alert certificate_expired(45)?
From a network administrator perspective, this change would also group the date/time issues to the same TLS alert, assisting in identifying connection issues.
Apologies if this issue has already been raised in the past.
Regards,
Doug
PS:
Observed with openssl-1.0.2k, using wpa_supplicant connecting to a freeradius server.
See also the openssl code: ssl_verify_alarm_type() in trunk: <ssl/ssl_statem/statem_lib.c> or 1.0.2k:<ssl/s3_both.c>.
--
openssl-dev mailing list
To unsubscribe:
https://mta.openssl.org/mailman/listinfo/openssl-dev