[Users] [Bulk] Re: Certificate pop-up message

ratinox at gweep.net ratinox at gweep.net
Thu Oct 4 22:20:07 CEST 2012

On Thu, 4 Oct 2012 20:38:11 +0100
Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:

> It seems you can't differentiate between an actually expired
> certificate and one the computer believes is expired! The RFC refers
> to an actually expired certificate. Your barking up the wrong tree.

Certificate expiration dates are checked and validated by the client.
Read the RFCs; they state this as requirements for the SSL handshake.
If the client computer's clock is wrong and this leads to the false
determination that a certificate has expired then it is the client
computer's owner fault.

You'll run into the same kinds of problems with authentication systems
like APOP. The APOP name digest uses a MD5 hash of several pieces of
data including a decimal representations of the client and server
system clocks. If client and server times don't match up then
authentication fails because the hashes won't match.

Having reasonably accurate clocks isn't an assumption. It's a
requirement. If the stock NTP configuration isn't cutting it on your
friend's computer then perhaps you should look into fixing it (hint:
change the polling interval) instead of complaining about how everything
else is broken. Fact is, everything else isn't broken. Your persistence
to the contrary is just going to get you labeled a crackpot assuming
that hasn't happened already.

\m/ (--) \m/

More information about the Users mailing list