Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Adding a CURLOPT_SSL_OPTIONS value to disable date checking

From: Patrick Monnerat <patrick_at_monnerat.net>
Date: Wed, 21 Mar 2018 05:45:42 +0100

On 03/21/2018 04:36 AM, Tabor Kelly wrote:
>
> Also, let's say that you are going to ship an IoT product without a
> realtime clock. Your first libcurl request could be to a C&C server to
> get the time, but you would need to use TLS and actually validate the
> chain of trust to prevent a MITM attack and you would need to disable
> the date checking (just for this first request). My pull request can
> be found here:
> https://github.com/curl/curl/pull/2405
Just a suggestion: why don't you sync your IoT product clock to a public
pool of NTP servers? NTP is not supported by curl, but there are some
open-source projects that can run as a detached daemon to sync your
clock. See http://www.ntp.org/downloads.html, https://chrony.tuxfamily.org/

NTP is unencrypted UDP and only deals with time: at its own level, there
is no possible information leakage and a MITM can only fool your clock.
While not 100% safe, it is still widely used. See
http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf.

Even if you don't have access to the public Internet, you can set-up an
autonomous NTP server on your LAN: it won't have the precision of
stratum 1 servers, but can be tuned to be accurate enough for your needs.

In addition, if you want to set your IoT device time ASAP after power-up
to avoid it "jumps" back to the time origin before NTP does its job, you
can use my own daemon that loads time from a file early after power-on
and saves it periodically. Of course, it requires some storage is
available on the device. I use it successfully on very old PCs with flat
batteries and on Raspberry Pi for a long time. Even if you don't use NTP
but a C&C server, it can help you much providing you don't let your
device off for months and the C&C server certificate renewal sets a
start date in the past when installed. See
https://github.com/monnerat/saveclock.

In any case, this is much more sane than bypassing certificate time
range validity and will also benefit to other parts of your OS and
application.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-03-21