Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Adding a CURLOPT_SSL_OPTIONS value to disable date checking

From: Mischa Salle <mischa.salle_at_gmail.com>
Date: Tue, 20 Mar 2018 17:34:29 +0100

I agree with Daniel that you can no longer say it's verified. For
debugging purposes it could be useful, but I think it's a very bad
idea in a production setting. For example, people will generally not
revoke expired certificates and the chance of a compromised key is
much much higher.
Having a grace period sounds like a good idea and even then you still
want to make sure that, at the time the last cert in the chain was
produced, the entire chain was valid.

Best wishes,
Mischa

On Sat, Mar 17, 2018 at 2:05 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Wed, 14 Mar 2018, Kelly, Tabor (Vancouver CNX FW) wrote:
>
>> I would like to add a CURLOPT_SSL_OPTIONS value to disable date checking,
>> but leave all other checks in place. This is particularly useful for
>> embedded devices that lack a real time clock. You can see my change here:
>> https://github.com/TaborKelly/curl/commit/24532eacb747e918407a6ad7044d5252f8b7be83
>
>
> Hey,
>
> I think I'm generally fine with this suggestion. The question to ask might
> be why you would trust a certificate at all that might have expired - is
> this really any more safe and sound than just disabling verification all
> together?
>
> I think it might be hard to implement this option for several other TLS
> backends that do the entire cert verification for us, as they might not
> offer options to tell them to only do a half-assed job.
>
> Should the option perhaps rather allow a certain out-of-range margin instead
> of just boolean on/off ?
>
>> I am happy to write test code, but I would like some pointers on a good
>> strategy for that? I am new to libcurl so I would of course welcome all
>> other feedback that you have on the change.
>
>
> Make it a libtest in tests/libtest/, add a test case in tests/data/testNNNN
> and make sure it is set to require "OpenSSL" as a feature. An expired or
> not-yet-active cert could then be used and put in tests/certs/ where we have
> other test certs.
>
> --
>
> / daniel.haxx.se
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-03-20