RE: handling of expired certificates
> From: Salz, Rich > > OpenSSL does nothing about this. It’s an interesting question. As for as > TLS/SSL is concerned, > it is only using the certificate at the time the connection is initially > established, and therefore > expiration (or revocation) during the application’s use of the certificate is > up to the application. > The only practical use that I can imagine is using something in the cert (DN > or an extension) for > authorization decisions… If the application has the need to re-verify the certificate on SSL level, it can renegotiate the connection's SSL parameters. Alternatively, it can close down the current connection and establish a new one. Both ways cause a new handshake to be started. HTH, Patrick Eisenacher
Re: handling of expired certificates
On Tue, Apr 23, 2013 at 10:17:54AM -0700, Vijaya Venkatachalam wrote: > So at the time of openssl connection establishment, the certificate is valid. > But while the connection is still up, the certificate expires. The certificate was valid at the time it was verified, this is sufficient. > Is the application supposed to handle this or does openssl handle this? Nothing needs to be done, so openssl does nothing. > what should be the application behavior on certificate expiry? It should keep going. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: handling of expired certificates
OpenSSL does nothing about this. It's an interesting question. As for as TLS/SSL is concerned, it is only using the certificate at the time the connection is initially established, and therefore expiration (or revocation) during the application's use of the certificate is up to the application. The only practical use that I can imagine is using something in the cert (DN or an extension) for authorization decisions... /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA