From: Luke Kurlandski <44705759+lkurlandski@users.noreply.github.com> Date: Tue, 4 Mar 2025 16:53:36 +0000 (-0500) Subject: Improved error message for X509_V_ERR_CERT_NOT_YET_VALID X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0efc439a3be54a6eb73015e997aa6a6f375b77ef;p=thirdparty%2Fopenssl.git Improved error message for X509_V_ERR_CERT_NOT_YET_VALID In addition to an invalid certificate, it is not unlikely that this exact error (case X509_V_ERR_CERT_NOT_YET_VALID) is caused by an incorrect system clock. This cannot be trivially fixed, so for now, we simply improve the quality of the error message. Fixes #14771 CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27141) --- diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index e825ce2db8b..edbf5bdbb1f 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -40,7 +40,7 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_CRL_SIGNATURE_FAILURE: return "CRL signature failure"; case X509_V_ERR_CERT_NOT_YET_VALID: - return "certificate is not yet valid"; + return "certificate is not yet valid or the system clock is incorrect"; case X509_V_ERR_CERT_HAS_EXPIRED: return "certificate has expired"; case X509_V_ERR_CRL_NOT_YET_VALID: