That's actually a quite easy to understand problem as well.
The difference is pretty major. It's believable that someone forgot to consider the case where a new certificate was negotiated. It's downright inconceivable that no one tested whether a bad certificate failed validation. That's like selling a pregnancy test without testing what happens if the person isn't pregnant.
The difference is pretty major. It's believable that someone forgot to consider the case where a new certificate was negotiated. It's downright inconceivable that no one tested whether a bad certificate failed validation. That's like selling a pregnancy test without testing what happens if the person isn't pregnant.