mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

9.5K
active users

#publickeyinfrastructure

0 posts0 participants0 posts today

Just spent some quality time figuring out why HTTPS requests with incorrect system time would fail - even though the time was between the certificate NotBefore and NotAfter.

OCSP stapling was the culprit. This adds a more strict "window of system time validity" due to the way the protocol works. The obvious reason for the smallish window is to allow caching, while reducing the replay attack possibilities. Thus, the system clock can't be backdated more than a few hours, regardless of certificate NotBefore. The system time can be more off towards the future.

In our use case, we don't need to worry about revocation and hence we will just kill OCSP use. With this, we will still have the limits set by the certificate NotBefore and NotAfter, but at least they're more predictable and somewhat laxer.