Provide tls_config_insecure_noverifytime() in order to be able to disable

certificate validity checking. ok beck@
author: jsing <> 2015-09-14 16:16:38 +0000
committer: jsing <> 2015-09-14 16:16:38 +0000
commit: 0e84a3939e912f6a384416b3af214fe8d44ff343 (patch)
tree: c19ebb2220b683828ca94f71006134cbdaa38ebd /src/lib
parent: 0f763b25777f63f3832ab70f6b1fccb6ee041476 (diff)
download: openbsd-0e84a3939e912f6a384416b3af214fe8d44ff343.tar.gz
openbsd-0e84a3939e912f6a384416b3af214fe8d44ff343.tar.bz2
openbsd-0e84a3939e912f6a384416b3af214fe8d44ff343.zip
6 files changed, 29 insertions, 6 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 2e6c48716c..679aabb9ed 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.20 2015/09/14 14:29:30 jmc Exp $
+#       $OpenBSD: Makefile,v 1.21 2015/09/14 16:16:38 jsing Exp $
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -44,6 +44,7 @@ MLINKS+=tls_init.3 tls_config_prefer_ciphers_server.3
 MLINKS+=tls_init.3 tls_config_clear_keys.3
 MLINKS+=tls_init.3 tls_config_insecure_noverifycert.3
 MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3
+MLINKS+=tls_init.3 tls_config_insecure_noverifytime.3
 MLINKS+=tls_init.3 tls_config_verify.3
 MLINKS+=tls_init.3 tls_config_verify_client.3
 MLINKS+=tls_init.3 tls_config_verify_client_optional.3
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 236ed9185b..ac9262a4fc 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.31 2015/09/14 12:29:16 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.32 2015/09/14 16:16:38 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -257,6 +257,11 @@ tls_configure_ssl(struct tls *ctx)
                }
        }
+        if (ctx->config->verify_time == 0) {
+                X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param,
+                    X509_V_FLAG_NO_CHECK_TIME);
+        }
        return (0);
 err:
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 442fe35064..670ad0d711 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.23 2015/09/13 10:32:46 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.24 2015/09/14 16:16:38 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -71,6 +71,7 @@ void tls_config_prefer_ciphers_server(struct tls_config *_config);
 void tls_config_insecure_noverifycert(struct tls_config *_config);
 void tls_config_insecure_noverifyname(struct tls_config *_config);
+void tls_config_insecure_noverifytime(struct tls_config *_config);
 void tls_config_verify(struct tls_config *_config);
 void tls_config_verify_client(struct tls_config *_config);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 4d536853c8..d5beb38f3e 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.12 2015/09/10 09:10:42 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.13 2015/09/14 16:16:38 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -309,10 +309,17 @@ tls_config_insecure_noverifyname(struct tls_config *config)
 }
 void
+tls_config_insecure_noverifytime(struct tls_config *config)
+{
+        config->verify_time = 0;
+}
+void
 tls_config_verify(struct tls_config *config)
 {
        config->verify_cert = 1;
        config->verify_name = 1;
+        config->verify_time = 1;
 }
 void
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index feef85dcb6..12a8e4bcf7 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.47 2015/09/14 15:14:55 schwarze Exp $
+.\" $OpenBSD: tls_init.3,v 1.48 2015/09/14 16:16:38 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -40,6 +40,7 @@
 .Nm tls_config_clear_keys ,
 .Nm tls_config_insecure_noverifycert ,
 .Nm tls_config_insecure_noverifyname ,
+.Nm tls_config_insecure_noverifytime ,
 .Nm tls_config_verify ,
 .Nm tls_config_verify_client ,
 .Nm tls_config_verify_client_optional ,
@@ -114,6 +115,8 @@
 .Ft "void"
 .Fn tls_config_insecure_noverifyname "struct tls_config *config"
 .Ft "void"
+.Fn tls_config_insecure_noverifytime "struct tls_config *config"
+.Ft "void"
 .Fn tls_config_verify "struct tls_config *config"
 .Ft "void"
 .Fn tls_config_verify_client "struct tls_config *config"
@@ -365,6 +368,11 @@ disables server name verification.
 Be careful when using this option.
 .Em (Client)
 .It
+.Fn tls_config_insecure_noverifytime
+disables validity checking of certificate.
+Be careful when using this option.
+.Em (Client and server)
+.It
 .Fn tls_config_verify
 reenables server name and certificate verification.
 .Em (Client)
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 320f1fbfaa..8128c05dfc 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.23 2015/09/14 12:29:16 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.24 2015/09/14 16:16:38 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -46,6 +46,7 @@ struct tls_config {
        int verify_client;
        int verify_depth;
        int verify_name;
+        int verify_time;
 };
 struct tls_conninfo {
author	jsing <>	2015-09-14 16:16:38 +0000
committer	jsing <>	2015-09-14 16:16:38 +0000
commit	0e84a3939e912f6a384416b3af214fe8d44ff343 (patch)
tree	c19ebb2220b683828ca94f71006134cbdaa38ebd /src/lib
parent	0f763b25777f63f3832ab70f6b1fccb6ee041476 (diff)
download	openbsd-0e84a3939e912f6a384416b3af214fe8d44ff343.tar.gz openbsd-0e84a3939e912f6a384416b3af214fe8d44ff343.tar.bz2 openbsd-0e84a3939e912f6a384416b3af214fe8d44ff343.zip