]> git.ipfire.org Git - thirdparty/hostap.git/commit
projects / thirdparty / hostap.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f5790e9) | patch
OpenSSL: Leaf certificate time validity check when no CA is configured
authorRathan Appana <rathanappana@gmail.com>
Thu, 25 Sep 2025 16:17:45 +0000 (18:17 +0200)
committerJouni Malinen <j@w1.fi>
Mon, 6 Oct 2025 20:47:29 +0000 (23:47 +0300)
commitdf739e9e7c24adfbba51266bd0e4ba6489e6cda0
tree0c6eb78a02f8d2eb5d282746c28b6a81910480cftree | snapshot
parentf5790e97cd646c5bf9ad9728970413b1b43086eacommit | diff
OpenSSL: Leaf certificate time validity check when no CA is configured

When ca_cert_verify=0 (CA is not configured) the callback overrides all
OpenSSL errors, including time validity. Add an explicit leaf (depth 0)
check and do not override X509_V_ERR_CERT_HAS_EXPIRED/NOT_YET_VALID,
unless TLS_CONN_DISABLE_TIME_CHECKS is set.

This preserves the existing behavior of ignoring chain/issuer errors in
no-CA mode; pinning/CRL/OCSP/name checks are unchanged.

Signed-off-by: Rathan Appana <rathanappana@gmail.com>
src/crypto/tls_openssl.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.