Re: Existing connections on certification expires

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 08/28/2017 09:07 AM, Viktor Dukhovni wrote:
On Mon, Aug 28, 2017 at 06:13:51AM -0400, Robert Moskowitz wrote:

1) What happens to the existing SSL connections on certification expiry?
Does the openssl disconnects the existing connection?
No, once authenticated, TLS connections continue indefinitely,
until either party chooses to disconnect.  The expiration of the
certificate does not invalidate the integrity of the original key
exchange, and presents no obvious increased risk of active attack.

Generally speaking:

openssl has nothing to do with a SSL/TLS connection.  It created the
certificate, it is not the application using the certificate.
This is wrong.  Many applications delegate certificate verification
to the OpenSSL library.  OpenSSL does not limit connection lifetime
based on certificate expiration.

Argh, you are right. The libraries are indeed used. I was thinking the whole program. My error. Thinking too narrowly.


That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client
(Web browser, Mail client, VPN client).  Most of these pay no attention to
the expiry date.
This is wrong.

They pay no attention to the expiry date to force the session to end at that time by adjusting the session lifetime to be no later than the expiry date. Though there are probably apps out there with this behavior.

They do indeed ensure that the certificate is within its dates. A nuance that I did not make clear.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux