Hi David, I think that both your proposals will add vulnerabilities. With your proposal I anticipate that many careless application developers will disable the date checking forever. As a result, consumers will be blaming openssl, not these developers.
Current solution for kernels and other firmware without a reliable RTC is to issue certificates that are valid from 1969 to 2037. We will have a Y2037 problem similar to Y2000 but this is a wide problem, much wider than openssl can solve at the moment. Regards, Alex Gostrer On Wed, Jul 22, 2015 at 6:09 AM, Woodhouse, David via RT <r...@openssl.org> wrote: > There are various circumstances in which it makes no sense to be > checking the start and end times of a certificate's validity. > > When validating OS kernel drivers, or indeed when validating the OS > kernel itself when the firmware loads it, we *really* don't want to > have a built-in obsolescence date after which the system will no longer > function. That would be a bad thing even if we *could* reliably trust > the system's real time clock at this stage in the boot sequence. > > This patch gives us a way to disable the time checks entirely, by using > X509_VERIFY_PARAM_set_time() with a time of -1. > > There is a slight risk here — if anyone was genuinely using the value > of -1 to check if a certificate chain was indeed valid in the last > second of 1969. I judge that risk to be negligible. And it certainly > shouldn't be externally triggerable — if an attacker could influence > the value passed to X509_VERIFY_PARAM_set_time() then all bets were off > w.r.t. time-based checks anyway. > > If there are serious concerns, however, I can provide an alternative > patch which adds an X509_V_FLAG_NO_CHECK_TIME flag for this purpose > instead. > > I'm happy with anything except the existing version in the UEFI source > tree that everyone is shipping, which just disables the time check if > OPENSSL_SYS_UEFI is set¹. That one I *don't* like. > > -- > David Woodhouse Open Source Technology Centre > david.woodho...@intel.com Intel Corporation > > ¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/2fb12afc2ceb > > _______________________________________________ > openssl-bugs-mod mailing list > openssl-bugs-...@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod > _______________________________________________ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > >
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
