2012年11月29日 · Since your time ended up ahead by a month, you probably browsed to a site that was nearing needing to replace their SSL certificate and so your browser thought it invalid. If you changed the time on the server, the server would think it ok, but any clients connecting would have the actual time and reject the certificate as out of date.

Certs in the future would be a serious issue. If the time service is run in-house, the people able to tamper with it are the same (or close) to the ones with an incentive to do so, in order to subvert the trusted device to generate certs in the future. Thus I prefer an independent date/time source. –

A renegotiation looks very much like an initial negotiation, although it may pass some information from the previous negotiation forward to try and smooth the path (e.g., here's the cipher we agreed upon last time). So the Client sends a ClientHello, then the server sends a ServerHello, then the server sends a Server Certificate (7.4.2).

2016年4月14日 · No, I see plenty of certs used within an organization which will be valid long after the CA certs used to verify them are expired. This happens when each cert is set to last a specific period (eg. 365 days...). The certs issued later will have a later expiration date than the issuer. They will also be useless as they cannot be verified. –

Simple version (for managers): Time syncs can prevent replay attacks. Without them, someone could record the packets sent between client and server, decrypt, modify data, then resend the packet stream and no one would be the wiser. But, because decryption takes time, a timestamp (validated on both sides) can indicate that the stream is a 'replay'.

2014年5月15日 · Although the certificate has a finite validity period it can be revoked at any time. The act of revocation places the serial number of that certificate into a certificate revocation list (CRL). Each certificate will include a link to a location where the latest CRL has been published by the issuer of that certificate.

2025年1月28日 · This means that if signature was created 20 years ago and signing time is embedded in signature, then you can successfully validate signature after signing (or any certificate in its chain) expiration, because code signing validation logic checks if signing certificate was valid at signing time, not validation time.

2016年12月8日 · The application below is well able to handle the case where same client is using different server for next connection each time, also it is likely connections will be long-lived. So, basically, to add TLS to this service both servers should have the certificate with this common service name, svc.example.org.

2024年12月3日 · Also note that you need some way to know you can trust the certificate. This usually means having your own CA, generating private/public key pairs, generating a CSR, sending it to the server, knowing (via other means, e.g. user/password) who the user is, signing the cert, sending it back, and having it installed in the user's system.

2024年10月12日 · There are several issues. The reason why TLS seems to be “working OK” in Firefox but not in Chrome has been explained by Steffen Ullrich.