handling of expired certificates

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

handling of expired certificates

Vijaya Venkatachalam
Hi
 
I am new to openssl application development.
I had a question on how to handle expired certificates.
 
So at the time of openssl connection establishment, the certificate is valid.
But while the connection is still up, the certificate expires.
 
Is the application supposed to handle this or does openssl handle this?
 
what should be the application behavior on certificate expiry?
 
Thanks,
Vijaya
Reply | Threaded
Open this post in threaded view
|

RE: handling of expired certificates

Salz, Rich

OpenSSL does nothing about this.  It’s an interesting question.  As for as TLS/SSL is concerned, it is only using the certificate at the time the connection is initially established, and therefore expiration (or revocation) during the application’s use of the certificate is up to the application. The only practical use that I can imagine is using something in the cert (DN or an extension) for authorization decisions…

 

                /r$

 

-- 

Principal Security Engineer

Akamai Technology

Cambridge, MA

Reply | Threaded
Open this post in threaded view
|

Re: handling of expired certificates

Viktor Dukhovni
In reply to this post by Vijaya Venkatachalam
On Tue, Apr 23, 2013 at 10:17:54AM -0700, Vijaya Venkatachalam wrote:

> So at the time of openssl connection establishment, the certificate is valid.
> But while the connection is still up, the certificate expires.

The certificate was valid at the time it was verified, this is sufficient.

> Is the application supposed to handle this or does openssl handle this?

Nothing needs to be done, so openssl does nothing.

> what should be the application behavior on certificate expiry?

It should keep going.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] handling of expired certificates

Erwann ABALEA
In reply to this post by Vijaya Venkatachalam
OpenSSL doesn't take care of the expiration of your certificate automagically in the background and call some function in your application to asynchronously tell that the certificate you received several seconds ago has now expired.
Identically, OpenSSL doesn't take care of external events that may now declare your certificate as revoked.

Verify the validity of the certificate at the current time. If you want to periodically check for the validity of the certificate because you're using it for a looooooong session, that's up to you.

-- 
Erwann ABALEA

Le 23/04/2013 19:17, Vijaya Venkatachalam a écrit :
Hi
 
I am new to openssl application development.
I had a question on how to handle expired certificates.
 
So at the time of openssl connection establishment, the certificate is valid.
But while the connection is still up, the certificate expires.
 
Is the application supposed to handle this or does openssl handle this?
 
what should be the application behavior on certificate expiry?
 
Thanks,
Vijaya

Reply | Threaded
Open this post in threaded view
|

RE: handling of expired certificates

Eisenacher, Patrick
In reply to this post by Salz, Rich
> From: Salz, Rich
>
> OpenSSL does nothing about this.  It’s an interesting question.  As for as TLS/SSL is concerned,
> it is only using the certificate at the time the connection is initially established, and therefore
> expiration (or revocation) during the application’s use of the certificate is up to the application.
> The only practical use that I can imagine is using something in the cert (DN or an extension) for
> authorization decisions…

If the application has the need to re-verify the certificate on SSL level, it can renegotiate the connection's SSL parameters. Alternatively, it can close down the current connection and establish a new one. Both ways cause a new handshake to be started.


HTH,
Patrick Eisenacher
:��I"Ϯ��r�m���� (���Z+�K�+����1���x ��h���[�z�(���Z+� ��f�y������f���h��)z{,���