Commit 0efc439a3b for openssl.org

commit 0efc439a3be54a6eb73015e997aa6a6f375b77ef
Author: Luke Kurlandski <44705759+lkurlandski@users.noreply.github.com>
Date:   Tue Mar 4 11:53:36 2025 -0500

    Improved error message for X509_V_ERR_CERT_NOT_YET_VALID

    In addition to an invalid certificate, it is not unlikely that this
    exact error (case X509_V_ERR_CERT_NOT_YET_VALID) is caused by an
    incorrect system clock. This cannot be trivially fixed, so for now,
    we simply improve the quality of the error message.

    Fixes #14771

    CLA: trivial

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/27141)

diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index e825ce2db8..edbf5bdbb1 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -40,7 +40,7 @@ const char *X509_verify_cert_error_string(long n)
     case X509_V_ERR_CRL_SIGNATURE_FAILURE:
         return "CRL signature failure";
     case X509_V_ERR_CERT_NOT_YET_VALID:
-        return "certificate is not yet valid";
+        return "certificate is not yet valid or the system clock is incorrect";
     case X509_V_ERR_CERT_HAS_EXPIRED:
         return "certificate has expired";
     case X509_V_ERR_CRL_NOT_YET_VALID: