[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
David Woodhouse
dwmw2 at infradead.org
Wed Jul 22 22:43:24 UTC 2015
On Wed, 2015-07-22 at 15:02 -0700, Alexander Gostrer wrote:
> Maybe it is the time to introduce the 64-bit UNIX time? Anything else
> looks like a patch.
Theoretically, we can already encode notAfter values as a
GeneralizedTime of up to 99991231235959Z (i.e. Y10K) in an X.509
certificate.
The limitation is purely an implementation issue — not only is it a
fairly safe bet that a lot of software will crap itself on seeing a
GeneralizedTime at all (since for dates before we MUST use UTCTime
instead), but a lot of 32-bit implementations are known to break even
for UTCTime values later than 2038.
So certificates which do this are just not going to interoperate very
well at all.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/0bb50013/attachment.bin>
More information about the openssl-dev
mailing list