From 0efc439a3be54a6eb73015e997aa6a6f375b77ef Mon Sep 17 00:00:00 2001
From: Luke Kurlandski <44705759+lkurlandski@users.noreply.github.com>
Date: Tue, 4 Mar 2025 11:53:36 -0500
Subject: [PATCH] Improved error message for X509_V_ERR_CERT_NOT_YET_VALID

In addition to an invalid certificate, it is not unlikely that this
exact error (case X509_V_ERR_CERT_NOT_YET_VALID) is caused by an
incorrect system clock. This cannot be trivially fixed, so for now,
we simply improve the quality of the error message.

Fixes #14771

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27141)
---
 crypto/x509/x509_txt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index e825ce2db8b..edbf5bdbb1f 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -40,7 +40,7 @@ const char *X509_verify_cert_error_string(long n)
     case X509_V_ERR_CRL_SIGNATURE_FAILURE:
         return "CRL signature failure";
     case X509_V_ERR_CERT_NOT_YET_VALID:
-        return "certificate is not yet valid";
+        return "certificate is not yet valid or the system clock is incorrect";
     case X509_V_ERR_CERT_HAS_EXPIRED:
         return "certificate has expired";
     case X509_V_ERR_CRL_NOT_YET_VALID:
-- 
2.47.2