When ca_cert_verify=0 (CA is not configured) the callback overrides all OpenSSL errors,
including time validity. Add an explicit leaf (depth 0) check and do not overrides X509_V_ERR_CERT_HAS_EXPIRED/NOT_YET_VALID, unless TLS_CONN_DISABLE_TIME_CHECKS is set.
This preserves the existing behavior of ignoring chain/issuer errors in no-CA mode; pinning/CRL/OCSP/name checks are unchanged.
Signed-off-by: Rathan Appana <rathanappana@xxxxxxxxx>
---
src/crypto/tls_openssl.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index eab43df39..518d06ae8 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2694,7 +2694,23 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
suffix_match = conn->suffix_match;
domain_match = conn->domain_match;
- if (!preverify_ok && !conn->ca_cert_verify)
+ if(!conn->ca_cert_verify && depth == 0 &&
+ !(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS)) {
+ if (X509_cmp_current_time(X509_get_notBefore(err_cert)) > 0) {
+ wpa_printf(MSG_WARNING, "TLS: Server certificate is not valid at the current time");
+ err = X509_V_ERR_CERT_NOT_YET_VALID;
+ preverify_ok = 0;
+ X509_STORE_CTX_set_error(x509_ctx, err);
+ } else if (X509_cmp_current_time(X509_get_notAfter(err_cert)) < 0) {
+ wpa_printf(MSG_WARNING, "TLS: Server certificate has expired");
+ err = X509_V_ERR_CERT_HAS_EXPIRED;
+ X509_STORE_CTX_set_error(x509_ctx, err);
+ preverify_ok = 0;
+ }
+ }
+
+ if (!preverify_ok && !conn->ca_cert_verify &&
+ !(err == X509_V_ERR_CERT_HAS_EXPIRED || err == X509_V_ERR_CERT_NOT_YET_VALID))
preverify_ok = 1;
if (!preverify_ok && depth > 0 && conn->server_cert_only)
preverify_ok = 1;
--
2.51.0
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
