On Thu, Jul 26, 2018 at 3:35 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> Secondly, it won't be used by the TLS libraries so things like certificate
> verficatons will likely fail anyway.
>
> A *much* better system that is actually likely to somewhat work globally would
> be if you have a hardcoded "reasonable" date (like the date of your most
> recent build) that you set your system to at boot and then everything in the
> system will work as if that date is real... (it could be based on the same
> time you imagine you'd use as a basis for the time() callback you suggest)

That's indeed better, but it will still fail if updated certificates
are not yet valid at
build time.

OCSP (not stapled, but with an explicit request to the provider) may be
a workaround for that, but would still require support from the TLS library.

rainer
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-07-26