OpenSSL determines the cause of the "bad certificate"

Question

OpenSSL determines the cause of the "bad certificate"

I am using pyOpenSSL which is a wrapper around OpenSSL. I had a client program trying to connect to my server and getting sslv3 alert bad certificate

on the server repeatedly . It was only when I realized that due to the wrong set of client clocks I was able to figure out the problem. I am assuming that the client saw the server's certificates as dated in the "future" and somehow that resulted sslv3 alert bad certificate

in the server.

Is there a way to get more detailed descriptions of why a particular certificate failed? My guess is that in this case, the validation failed on the client side due to the clock not being set correctly, but the error on the server side is the same as if a bad certificate was sent and the validation was not done on the server side.

+3

ssl openssl pyopenssl

Tim Tisdall 29 oct. 14 at 14:14

source to share

1 answer

Steffen ullrich · Accepted Answer · 2014-10-29T14:30:29+0000

Unfortunately, descriptions of the problems are rather limited. Errors are reported with TLS warnings. Each warning is just a number without any additional information and only a few warnings are defined, see http://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol . For example, there is a warning for an expired certificate, but there is no warning for a certificate that is not yet valid, which would be necessary in your case. This way the whole client can send back that the certificate is bad.

OpenSSL determines the cause of the "bad certificate"

More articles: