curl / Mailing Lists / curl-library / Single Mail


Re: Adding a CURLOPT_SSL_OPTIONS value to disable date checking

From: Patrick Monnerat <>
Date: Wed, 21 Mar 2018 05:45:42 +0100

On 03/21/2018 04:36 AM, Tabor Kelly wrote:
> Also, let's say that you are going to ship an IoT product without a
> realtime clock. Your first libcurl request could be to a C&C server to
> get the time, but you would need to use TLS and actually validate the
> chain of trust to prevent a MITM attack and you would need to disable
> the date checking (just for this first request). My pull request can
> be found here:
Just a suggestion: why don't you sync your IoT product clock to a public
pool of NTP servers? NTP is not supported by curl, but there are some
open-source projects that can run as a detached daemon to sync your
clock. See,

NTP is unencrypted UDP and only deals with time: at its own level, there
is no possible information leakage and a MITM can only fool your clock.
While not 100% safe, it is still widely used. See

Even if you don't have access to the public Internet, you can set-up an
autonomous NTP server on your LAN: it won't have the precision of
stratum 1 servers, but can be tuned to be accurate enough for your needs.

In addition, if you want to set your IoT device time ASAP after power-up
to avoid it "jumps" back to the time origin before NTP does its job, you
can use my own daemon that loads time from a file early after power-on
and saves it periodically. Of course, it requires some storage is
available on the device. I use it successfully on very old PCs with flat
batteries and on Raspberry Pi for a long time. Even if you don't use NTP
but a C&C server, it can help you much providing you don't let your
device off for months and the C&C server certificate renewal sets a
start date in the past when installed. See

In any case, this is much more sane than bypassing certificate time
range validity and will also benefit to other parts of your OS and
Received on 2018-03-21