Topic: [SOLVED] how to ignore date/time exceed when load certificate?

Hi,
   In some scenarios, even the certificate already exceed the defined data/time, we still need trust it.
   So, is there any flexible way to disable/enable the verify for the data/time of certificate? I seems there are no one special macro used for this case.

   For details, how to let XVALIDATE_DATE(d, f, t) always return 1?

Share

Re: [SOLVED] how to ignore date/time exceed when load certificate?

Hi cxdinter,

We have received a few inquiries of this nature over the years. To be absolutely clear let me express that this is

HIGHLY NOT RECOMMENDED by wolfSSL. This can open yourself up to attacks and in general is a bad idea. We can not express how strongly we do not recommend doing what you are requesting. To convey our concern let me provide a real world example.

A certificate belonging to the domain comehereforfreemoney.com is currently on the Certificate Revocation List (CRL) because if you visit that domain it will install a virus on your computer or do some other malicious thing. Once the certificate belonging to that domain expires it drops off the CRL and you can no longer tell it's a certificate belonging to a malicious domain by checking it against the CRL. You decide to trust it because you ignore the date and the CRL is checked and comes back with an OK status since that certificate is no longer tracked by the CRL. Your connection is allowed and you end up with a virus or other malicious behavior is performed due to the approved connection.


Now that you are briefed on the potential pitfalls of ignoring date checks:

Due to the requests over the years we have provided an example of doing this in <wolfssl-root>/wolfssl/test.h

The function "myDateCb" can be used as a model for achieving your desired use-case.
You would create your own custom callback similar to myDateCb and then register that "verify callback" with the API "wolfSSL_CTX_set_verify". Then whenever a verify is performed it will use your callback instead of the default one in wolfSSL.

Example:

int myCustomVerifyFunction(int preverify, WOLFSSL_X509_STORE_CTX* store);


int myCustomVerifyFunction(int preverify, WOLFSSL_X509_STORE_CTX* store)
{
    /* Model after myDateCb from <wolfssl-root>/wolfssl/test.h */
    /* return 1 for success */
    /* return 0 for failures */
}


... application code ...
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myCustomVerifyFunction);
... application code ...

Regards,

3 (edited by cxdinter 2016-12-17 05:34:53)

Re: [SOLVED] how to ignore date/time exceed when load certificate?

Hi Kaleb,

I am fully understand your contradiction.
Because our product only can sync real data/time from car CAN network. But, during our development work, sometime, our product can't work in a real car environment. So, if we don't ignore the data/time exceed error, the TLS link will always fail.
Big appreciation for your solution, and I promise that I just use this solution for develop work, this change will not integrate into our product's formal software release.

At the end, merry Christmas for you!

Share

Re: [SOLVED] how to ignore date/time exceed when load certificate?

cxdinter wrote:

Hi Kaleb,

I am fully understand your contradiction.
Because our product only can sync real data/time from car CAN network. But, during our development work, sometime, our product can't work in a real car environment. So, if we don't ignore the data/time exceed error, the TLS link will always fail.
Big appreciation for your solution, and I promise that I just use this solution for develop work, this change will not integrate into our product's formal software release.

At the end, merry Christmas for you!

Thanks
https://couponswa.com/