Developers, Is openssl sending the correct TLS alert message when certificate validation fails due to the received certificate being not yet valid?
During TLS authentication, if certificate validation fails, a TLS alert is sent. If the received certificate has expired, AlertDescription certificate_expired(45) is being sent. If the received certificate is not yet valid, AlertDescription bad_certificate(42) is being sent. However, the TLS1.0 specification certificate_expired description appears to apply to the "not yet valid" case as well. >From the TLS1.0 specification (RFC2246, clause 7.2.2 Error Alerts): "certificate_expired A certificate has expired or is not currently valid." When certificate validation fails due to the certificate being not yet valid, should openssl be modified to send a TLS alert certificate_expired(45)? >From a network administrator perspective, this change would also group the >date/time issues to the same TLS alert, assisting in identifying connection >issues. Apologies if this issue has already been raised in the past. Regards, Doug PS: Observed with openssl-1.0.2k, using wpa_supplicant connecting to a freeradius server. See also the openssl code: ssl_verify_alarm_type() in trunk: <ssl/ssl_statem/statem_lib.c> or 1.0.2k:<ssl/s3_both.c>. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev