SSL Certificate expires while connected

Question

Hey everyone just a quick question.

Lets say I am connected to a server with a SSL connection. Now say while I am connected the Certificate expires. Will the connection close or is nothing going to happen at all?

I would think that nothing will happen at all but I'm not 100 % sure.

Answer 1

To extend the other answers: the certificate will only be checked within a full handshake. Usually at most one full handshake is done per TCP connection (at the beginning) but with renegotiation another full handshake might be done.

But with session resumption only the first TCP connection in the SSL session will do a full handshake. This means that it will not detect a changed or expired certificate even when establishing a new TCP connection as long as an existing SSL session is resumed inside this TCP connection.

The reasoning behind this: The certificate is used to make sure that the SSL session is with the expected party and not some man in the middle attacker. So it must be checked at the beginning of the SSL session, i.e. a whenever a full handshake is done. Since an established SSL session is integrity protected a man in the middle tampering with the connection would be detected. So one does not again need to verify the certificate during the SSL.

Answer 2

The certificate will be checked once for validity at the beginning of the connection, and again during the connection (or a subsequent one sharing the same session) if either side requests a full handshake, which is usually only done to escalate the cipher suites, request a client certificate, etc.

Answer 3

It depends on the client implementation.

However, the connection will likely remain active as the validity of the certificate is checked during the TLS/SSL handshake, which happens once at the beginning of the session when the connection is opened.