Developers,
Is openssl sending the correct TLS alert message when certificate validation
fails due to the received certificate being not yet valid?
During TLS authentication, if certificate validation fails, a TLS alert is sent.
If the received certificate has expired, AlertDescription
certificate_expired(45) is being sent.
If the received certificate is not yet valid, AlertDescription
bad_certificate(42) is being sent.
However, the TLS1.0 specification certificate_expired description appears to
apply to the "not yet valid" case as well.
>From the TLS1.0 specification (RFC2246, clause 7.2.2 Error Alerts):
"certificate_expired
A certificate has expired or is not currently valid."
When certificate validation fails due to the certificate being not yet valid,
should openssl be modified to send a TLS alert certificate_expired(45)?
>From a network administrator perspective, this change would also group the
>date/time issues to the same TLS alert, assisting in identifying connection
>issues.
Apologies if this issue has already been raised in the past.
Regards,
Doug
PS:
Observed with openssl-1.0.2k, using wpa_supplicant connecting to a freeradius
server.
See also the openssl code: ssl_verify_alarm_type() in trunk:
<ssl/ssl_statem/statem_lib.c> or 1.0.2k:<ssl/s3_both.c>.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
