发表新帖
发表新帖

Make OpenSSL accept expired certificates

前端 未结
关注
2 986
谎友^
谎友^ 2021-01-23 01:56

I\'m digging through the source code, trying to find a way to get OpenSSL to always accept expired certificates. I can\'t find the link between the expired errors/alarms and the

相关标签:
2条回答
  • Happy的楠姐
    2021-01-23 02:16

    How I solved it:

    The time checks for certificates are in ssl/x509_vfy.c:

    static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
    time_t *ptime;
    int i;

    .
    .
    .

    i = X509_cmp_time(X509_get_notAfter(x), ptime);
    .
    .
    .

    if (i < 0) {
        return 1;
        /* Allow expired certificates!
         *
         * ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
         * ctx->current_cert = x;
         * if (!ctx->verify_cb(0, ctx))
         *   return 0;
         */
    }

    return 1;
}

    I just commented out part where is sets the expiration error. Not the best way to do it, I would suggest using jww's answer instead. I just thought I should document the solution I used.

    This solution means that openssl can't detect any expired certs, even if set_verify_cb changes the callback.

    0 讨论(0)
  • 故里飘歌
    2021-01-23 02:38

    Make OpenSSL accept expired certificates...

    In your verification callback function, you should accept both X509_V_OK and X509_V_ERR_CERT_HAS_EXPIRED. Maybe something like:

    int verify_callback(int preverify, X509_STORE_CTX* x509_ctx)
{
    /* For error codes, see http://www.openssl.org/docs/apps/verify.html  */
    int err = X509_STORE_CTX_get_error(x509_ctx);

    if(preverify == 0)
    {
        if(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
            fprintf(stdout, "  Error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\n");
        else if(err == X509_V_ERR_CERT_UNTRUSTED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_UNTRUSTED\n");
        else if(err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
            fprintf(stdout, "  Error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\n");
        else if(err == X509_V_ERR_CERT_NOT_YET_VALID)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_NOT_YET_VALID\n");
        else if(err == X509_V_ERR_CERT_HAS_EXPIRED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_HAS_EXPIRED\n");
        else if(err == X509_V_OK)
            fprintf(stdout, "  Error = X509_V_OK\n");
        else
            fprintf(stdout, "  Error = %d\n", err);
    }

    if (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED)
        return 1;

    return preverify;
}

    Another problem with older mobile and IoT gadgets are lack of clocks and/or aux power. You may need to allow X509_V_ERR_CERT_NOT_YET_VALID too. You will observe this for a device that powers on and thinks its in the 1990s or 2000s. Older phones without a SIM experience this all the time. I've also observed it in modern [low end] Android phones.

    0 讨论(0)
 看不清?
提交回复
热议问题