[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jul 22 16:47:48 UTC 2015
On Wed, Jul 22, 2015 at 03:36:40PM +0000, David Woodhouse via RT wrote:
> FWIW the Linux kernel also specifically avoids checking timestamps
> altogether when validating signed modules.
You probably need a dedicated implementation of X509_verify_cert().
When dealing with "data at rest" (signed email, signed code, ...)
certificate expiration needs to be understood in the context of
time of signature, not time of verification.
Ideally (this generally works for email), the verifier "initially"
verifies the signed object before the expiration time of the
certificate and then caches this fact in some manner, so that
subsequent verification can ignore the certificate entirely, and
just check the the object has not changed since initially verified.
If caching results of initial verification is not an option, then
perhaps disabling expiration checks is a last-resort option. There
are ways (with care) to do this via the verify callback, which can
be made to suppress *only* expiration errors and fail on all other
errors.
--
Viktor.
More information about the openssl-dev
mailing list