Opened 8 years ago

Closed 7 years ago

#199 closed Feature Wish (wontfix)

Add option to ignore certificate verification errors caused by incorrect system time

Reported by: fredde-fisk Owned by:
Priority: major Milestone:
Component: Certificates Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Background

When OpenVPN is running on embeded systems the hardware clock might be reset on reboot, and it's not always possible to synhcronize the system time using NTP.

This will cause OpenVPN to reject the certificate with the following error:

VERIFY ERROR: depth=1, error=certificate is not yet valid: ...

Proposal

Add an option that makes verify_callback in ssl.c ignore the errors
X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED

Change History (1)

comment:1 Changed 7 years ago by David Sommerseth

Resolution: wontfix
Status: newclosed

Even though I see the issue here, it basically removes an important security feature.

In this case, I would probably rather recommend to issue a CA and/or server certificate with "Valid From" with a date which is the initial boot time of the embedded device. This should solve this issue, and contain the issue within your environment.

Note: See TracTickets for help on using tickets.