curl-library
Re: Adding a CURLOPT_SSL_OPTIONS value to disable date checking
Date: Tue, 20 Mar 2018 17:34:29 +0100
I agree with Daniel that you can no longer say it's verified. For
debugging purposes it could be useful, but I think it's a very bad
idea in a production setting. For example, people will generally not
revoke expired certificates and the chance of a compromised key is
much much higher.
Having a grace period sounds like a good idea and even then you still
want to make sure that, at the time the last cert in the chain was
produced, the entire chain was valid.
Best wishes,
Mischa
On Sat, Mar 17, 2018 at 2:05 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Wed, 14 Mar 2018, Kelly, Tabor (Vancouver CNX FW) wrote:
>
>> I would like to add a CURLOPT_SSL_OPTIONS value to disable date checking,
>> but leave all other checks in place. This is particularly useful for
>> embedded devices that lack a real time clock. You can see my change here:
>> https://github.com/TaborKelly/curl/commit/24532eacb747e918407a6ad7044d5252f8b7be83
>
>
> Hey,
>
> I think I'm generally fine with this suggestion. The question to ask might
> be why you would trust a certificate at all that might have expired - is
> this really any more safe and sound than just disabling verification all
> together?
>
> I think it might be hard to implement this option for several other TLS
> backends that do the entire cert verification for us, as they might not
> offer options to tell them to only do a half-assed job.
>
> Should the option perhaps rather allow a certain out-of-range margin instead
> of just boolean on/off ?
>
>> I am happy to write test code, but I would like some pointers on a good
>> strategy for that? I am new to libcurl so I would of course welcome all
>> other feedback that you have on the change.
>
>
> Make it a libtest in tests/libtest/, add a test case in tests/data/testNNNN
> and make sure it is set to require "OpenSSL" as a feature. An expired or
> not-yet-active cert could then be used and put in tests/certs/ where we have
> other test certs.
>
> --
>
> / daniel.haxx.se
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-03-20