[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
Woodhouse, David via RT
rt at openssl.org
Thu Jul 30 21:55:36 UTC 2015
On Tue, 2015-07-28 at 11:00 +0000, Salz, Rich via RT wrote:
> It seems that the simplest and most obvious thing is to indicate that
> you don't care about the dates, which is what this patch does.
Obviously I agree, but life's too short to argue about it and I *do*
have a viable alternative, with a verify_cb function that just ignores
X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED.
So (for the record) I've submitted patches to EDKII which do precisely
that, and I don't depend on this patch any more. Close the RT if you
wish.
Having said that, if OpenSSL *does* gain this functionality then I'll
happily change the EDKII code to make use of it, because I think it's
the better approach.
If requested, I can still provide a patch with the alternative variant
of using a X509_V_FLAG_NO_CHECK_TIME flag if that's considered better
than using a 'special' time of (time_t)-1 with
X509_VERIFY_PARAM_set_time().
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3437 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150730/83155e2d/attachment.bin>
More information about the openssl-dev
mailing list