Re: Avoiding clock-skew error problems

Mon, 14 Jan 2002 13:56:20 -0800 

Adam Wosotowsky <[EMAIL PROTECTED]> writes:

> On Mon, Jan 14, 2002 at 09:26:22AM -0800, Eric Rescorla wrote:
> 
> > SSL does not require that the client and server have synchronized
> > clocks, except in the loose sense that a certificate verifier's
> > clock should have some relation to the real time in order to avoid
> > falsely evaluating expiry.
> > 
> > Exactly what behavior are you seeing that leads you to believe
> > that this is a problem?
> > 
> 
> hrm, roughly, this is the segment I'm looking at:
> 
>       there exists a client.  the client has a clientKey, a
>       clientCert, and serverCert.  The server has
>       signed the client's keys.
> 
>       there exists a server, which has a serverKey, and a serverCert.
>       The server's keys have been signed by the overserver.
> 
> If the clocks are within say 30 minutes of each other the SSL handshake
> will go through without a hitch and communications will flow smoothly.
> However, if the clock is set quite a few hours away the SSL handshake
> will not go through and the server will spit out an error in the theme
> of "Function:SSL3_READ_BYTES  Reason:sslv3 alert bad certificate SSL
> alert number 42".  
Judging from this alert, what you've got is clock skew leading
to certificate verification problems. Do your certificates have
really short lifetimes? 

> so I sync'd clocks and voila, it's all good.  No explanation from our
> books on SSL, the manpages, or from the code.  We figure it's gotta be
> something in the deep down that's requiring some sort of time sync,
> perhaps some legacy anti-replay or something.  The problem exists on
> both unix and windows clients.
There's no such feature in SSL, so something else must be going
on. 

What is the application. From the message you referenced, one
gets the impression that you're using OpenSSL with some GSS-API-type-thing,
in which case you might be getting very short lived ephemeral
certificates (a la Kerberos tickets).

-Ekr

-- 
[Eric Rescorla                                   [EMAIL PROTECTED]]
                http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to