[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Jul 30 22:08:03 UTC 2015
On Thu, Jul 30, 2015 at 09:55:36PM +0000, Woodhouse, David via RT wrote:
> On Tue, 2015-07-28 at 11:00 +0000, Salz, Rich via RT wrote:
> > It seems that the simplest and most obvious thing is to indicate that
> > you don't care about the dates, which is what this patch does.
>
> Obviously I agree, but life's too short to argue about it and I *do*
> have a viable alternative, with a verify_cb function that just ignores
> X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED.
You have to be careful how you do that. The final error in the
X509_STORE_CTX is the *last* error reported, and other errors
may also have been detected earlier.
If your callback always returns the "ok" input except for the two
above errors, you're fine. But if returns "1" in additional cases,
and then in the end you look at the store error status, you may be
in trouble. That's in issue in applications that don't immediately
terminate the handshake on authentication errors, and disconnect
more gracefully at the application layer when authentication fails.
--
Viktor.
More information about the openssl-dev
mailing list