Opened 12 years ago
Closed 12 years ago
#199 closed Feature Wish (wontfix)
Add option to ignore certificate verification errors caused by incorrect system time
| Reported by: | fredde-fisk | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Certificates | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Background
When OpenVPN is running on embeded systems the hardware clock might be reset on reboot, and it's not always possible to synhcronize the system time using NTP.
This will cause OpenVPN to reject the certificate with the following error:
VERIFY ERROR: depth=1, error=certificate is not yet valid: ...
Proposal
Add an option that makes verify_callback in ssl.c ignore the errors
X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED
Note: See
TracTickets for help on using
tickets.
Even though I see the issue here, it basically removes an important security feature.
In this case, I would probably rather recommend to issue a CA and/or server certificate with "Valid From" with a date which is the initial boot time of the embedded device. This should solve this issue, and contain the issue within your environment.