handling of expired certificates
Hi I am new to openssl application development. I had a question on how to handle expired certificates. So at the time of openssl connection establishment, the certificate is valid. But while the connection is still up, the certificate expires. Is the application supposed to handle this or does openssl handle this? what should be the application behavior on certificate expiry? Thanks, Vijaya
RE: handling of expired certificates
OpenSSL does nothing about this. It's an interesting question. As for as TLS/SSL is concerned, it is only using the certificate at the time the connection is initially established, and therefore expiration (or revocation) during the application's use of the certificate is up to the application. The only practical use that I can imagine is using something in the cert (DN or an extension) for authorization decisions... /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: handling of expired certificates
On Tue, Apr 23, 2013 at 10:17:54AM -0700, Vijaya Venkatachalam wrote: So at the time of openssl connection establishment, the certificate is valid. But while the connection is still up, the certificate expires. The certificate was valid at the time it was verified, this is sufficient. Is the application supposed to handle this or does openssl handle this? Nothing needs to be done, so openssl does nothing. what should be the application behavior on certificate expiry? It should keep going. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] handling of expired certificates
OpenSSL doesn't take care of the expiration of your certificate automagically in the background and call some function in your application to asynchronously tell that the certificate you received several seconds ago has now expired. Identically, OpenSSL doesn't take care of external events that may now declare your certificate as revoked. Verify the validity of the certificate at the current time. If you want to periodically check for the validity of the certificate because you're using it for a looong session, that's up to you. -- Erwann ABALEA Le 23/04/2013 19:17, Vijaya Venkatachalam a écrit : Hi I am new to openssl application development. I had a question on how to handle expired certificates. So at the time of openssl connection establishment, the certificate is valid. But while the connection is still up, the certificate expires. Is the application supposed to handle this or does openssl handle this? what should be the application behavior on certificate expiry? Thanks, Vijaya
RE: handling of expired certificates
From: Salz, Rich OpenSSL does nothing about this. It’s an interesting question. As for as TLS/SSL is concerned, it is only using the certificate at the time the connection is initially established, and therefore expiration (or revocation) during the application’s use of the certificate is up to the application. The only practical use that I can imagine is using something in the cert (DN or an extension) for authorization decisions… If the application has the need to re-verify the certificate on SSL level, it can renegotiate the connection's SSL parameters. Alternatively, it can close down the current connection and establish a new one. Both ways cause a new handshake to be started. HTH, Patrick Eisenacher
