[openssl-project] Change to fractional time processing in cert verify

Barry Fussell (bfussell) bfussell at cisco.com
Fri Aug 10 16:33:35 UTC 2018

My team was recently made aware of a change in the time comparison
logic in openssl to adhere to RFC5280 requirements . This change will be in
the upcoming 1.0.2p and 1.1.0i releases. We've had discussions regarding
the impact to legacy devices in the field and feel the change could be
detrimental if enabled by default.

We've seen fractional time used in many cases, for example the IAIK
crypto library generated fractional times for quite a while. I believe the
issue with the IAIK library has been fixed, but products still have those certs
embedded in them today.

In reading the discussion linked below it seems the only impetus for
this change was to meet RFC5280, not that allowing fractional times
was any specific vulnerability.


Is there any option for this going forward, removal, compile-time
enabled or part of the strict checks ?

Thanks !

Barry Fussell


Barry Fussell
Technical Leader
Security & Trust Organization
bfussell at cisco.com<mailto:bfussell at cisco.com>
Phone: +1 919 392 2920

Cisco Systems, Inc.
7025-2 Kit Creek Road
Research Triangle Park, NC 27709
United States

[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180810/6e2c497d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 7270 bytes
Desc: image001.jpg
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180810/6e2c497d/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 952 bytes
Desc: image002.jpg
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180810/6e2c497d/attachment-0003.jpg>

More information about the openssl-project mailing list