[lug] Understanding a SSL/TLS Certificate Issue

Stephen Kraus ub3ratl4sf00 at gmail.com
Fri Jun 19 11:07:13 MDT 2020 

That's before you get into BIOS clocks with drift issues.

On Fri, Jun 19, 2020 at 12:53 PM David Stearns <stearns at dhyw.com> wrote:

> I used to regularly run across systems where ntp wasn't running, and
> someone had set the month/day/hour/minute by hand (if they set it at all),
> but the year was sitting at what ever the bios reset to, so sometimes you'd
> have a system that looked fine at first glance but was actually off by over
> a decade.
>
> -DS
>
> On Fri, Jun 19, 2020 at 10:26 AM Bear Giles <bgiles at coyotesong.com> wrote:
>
>> I was a bit confused by that. I use Kerberos and it's important to keep
>> the clocks synced with ntp. They don't have to be synced to within a
>> fraction of a second but tickets might only be valid for 5 minutes and
>> pre-ntp drifts that large or larger were common.
>>
>> Server certs are usually valid for several months. I think LetsEncrypt
>> defaults to 3 months now, although you can request a shorter lifespan if
>> desired. It's hard to imagine a system clock being off by months. CA
>> working certs are valid for longer periods and should be rotated. E.g.,
>> they might be valid for 12 months with a new cert created on 01/01 and
>> 07/01. Requests are always signed with the latest cert. That means that
>> existing certs will always be backed by a valid cert plus a little more
>> time for client software that's a bit more flexible in enforcing validity
>> checks.
>>
>> Bear
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200619/9a5defcb/attachment.html>

More information about the LUG mailing list