[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
David Woodhouse
dwmw2 at infradead.org
Thu Jul 30 22:20:05 UTC 2015
On Thu, 2015-07-30 at 22:08 +0000, Viktor Dukhovni wrote:
>
> > Obviously I agree, but life's too short to argue about it and I *do*
> > have a viable alternative, with a verify_cb function that just ignores
> > X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED.
>
> You have to be careful how you do that. The final error in the
> X509_STORE_CTX is the *last* error reported, and other errors
> may also have been detected earlier.
>
> If your callback always returns the "ok" input except for the two
> above errors, you're fine. But if returns "1" in additional cases,
> and then in the end you look at the store error status, you may be
> in trouble. That's in issue in applications that don't immediately
> terminate the handshake on authentication errors, and disconnect
> more gracefully at the application layer when authentication fails.
Thanks for the warning. I don't believe we're looking at the store
error status at all; we only care about the return value from
X509_verify_cert() — either directly, or when PKCS7_verify() calls it.
(There's no SSL here; only crypto. It's for verifying certificate
chains and checking signatures on boot images).
So I think it's fine.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150730/86d918d9/attachment-0001.bin>
More information about the openssl-dev
mailing list