[openssl-users] Existing connections on certification expires

Viktor Dukhovni openssl-users at dukhovni.org
Mon Aug 28 13:07:47 UTC 2017


On Mon, Aug 28, 2017 at 06:13:51AM -0400, Robert Moskowitz wrote:

> > 1) What happens to the existing SSL connections on certification expiry?
> > Does the openssl disconnects the existing connection?

No, once authenticated, TLS connections continue indefinitely,
until either party chooses to disconnect.  The expiration of the
certificate does not invalidate the integrity of the original key
exchange, and presents no obvious increased risk of active attack.

> Generally speaking:
> 
> openssl has nothing to do with a SSL/TLS connection.  It created the
> certificate, it is not the application using the certificate.

This is wrong.  Many applications delegate certificate verification
to the OpenSSL library.  OpenSSL does not limit connection lifetime
based on certificate expiration.

> That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client
> (Web browser, Mail client, VPN client).  Most of these pay no attention to
> the expiry date.

This is wrong.

-- 
	Viktor.


More information about the openssl-users mailing list