Comparing X.509 certificate validation errors across TLS libraries

IT professionals often meet certificate validation errors when dealing with TLS. In such situations, their decisions may be crucial for the security of systems they implement. However, error messages differ depending on the used TLS library, and official documentation usually does not help much. This thesis performs a comparison of certificate validation errors occurring in five common TLS libraries . To do so, it employs a custom set of erroneous certificates. Furthermore, a simple TLS connection is implemented in the five libraries. As a result, we establish a mapping between the corresponding errors from different libraries. The mapping is published online, together with the erroneous certificates and TLS source code. All three resources aim to be used by developers when they require guidance.


Faculty of Informatics

Date of Completion

spring 2021



Martin Ukrop


Pavol Žáčik