[openssl-dev] TLS Alert response when certificate is not yet valid

[Doug Smith]

Developers,

Is openssl sending the correct TLS alert message when certificate validation fails due to the received certificate being not yet valid?

During TLS authentication, if certificate validation fails, a TLS alert is sent.
If the received certificate has expired, AlertDescription certificate_expired(45) is being sent.
If the received certificate is not yet valid, AlertDescription bad_certificate(42) is being sent.

However, the TLS1.0 specification certificate_expired description appears to apply to the "not yet valid" case as well.
>From the TLS1.0 specification (RFC2246, clause 7.2.2 Error Alerts):
   "certificate_expired
       A certificate has expired or is not currently valid."

When certificate validation fails due to the certificate being not yet valid, should openssl be modified to send a TLS alert certificate_expired(45)?

>From a network administrator perspective, this change would also group the date/time issues to the same TLS alert, assisting in identifying connection issues.

Apologies if this issue has already been raised in the past.

Regards,
Doug

PS:
Observed with openssl-1.0.2k, using wpa_supplicant connecting to a freeradius server.
See also the openssl code: ssl_verify_alarm_type() in trunk: <ssl/ssl_statem/statem_lib.c> or 1.0.2k:<ssl/s3_both.c>.