curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Adding a CURLOPT_SSL_OPTIONS value to disable date checking

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 17 Mar 2018 14:05:54 +0100 (CET)

On Wed, 14 Mar 2018, Kelly, Tabor (Vancouver CNX FW) wrote:

> I would like to add a CURLOPT_SSL_OPTIONS value to disable date checking,
> but leave all other checks in place. This is particularly useful for
> embedded devices that lack a real time clock. You can see my change here:
> https://github.com/TaborKelly/curl/commit/24532eacb747e918407a6ad7044d5252f8b7be83

Hey,

I think I'm generally fine with this suggestion. The question to ask might be
why you would trust a certificate at all that might have expired - is this
really any more safe and sound than just disabling verification all together?

I think it might be hard to implement this option for several other TLS
backends that do the entire cert verification for us, as they might not offer
options to tell them to only do a half-assed job.

Should the option perhaps rather allow a certain out-of-range margin instead
of just boolean on/off ?

> I am happy to write test code, but I would like some pointers on a good
> strategy for that? I am new to libcurl so I would of course welcome all
> other feedback that you have on the change.

Make it a libtest in tests/libtest/, add a test case in tests/data/testNNNN
and make sure it is set to require "OpenSSL" as a feature. An expired or
not-yet-active cert could then be used and put in tests/certs/ where we have
other test certs.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-03-17