Opened 12 years ago

Closed 12 years ago

#199 closed Feature Wish (wontfix)

Add option to ignore certificate verification errors caused by incorrect system time

Reported by: fredde-fisk Owned by:
Priority: major Milestone:
Component: Certificates Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:



When OpenVPN is running on embeded systems the hardware clock might be reset on reboot, and it's not always possible to synhcronize the system time using NTP.

This will cause OpenVPN to reject the certificate with the following error:

VERIFY ERROR: depth=1, error=certificate is not yet valid: ...


Add an option that makes verify_callback in ssl.c ignore the errors

Change History (1)

comment:1 Changed 12 years ago by David Sommerseth

Resolution: wontfix
Status: newclosed

Even though I see the issue here, it basically removes an important security feature.

In this case, I would probably rather recommend to issue a CA and/or server certificate with "Valid From" with a date which is the initial boot time of the embedded device. This should solve this issue, and contain the issue within your environment.

Note: See TracTickets for help on using tickets.