From: Rathan Appana Date: Thu, 2 Oct 2025 17:01:25 +0000 (+0200) Subject: OpenSSL: Enforce leaf cert expiry check with server cert pinning X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41996889f1ad11c3d762c1079b56259c98a90863;p=thirdparty%2Fhostap.git OpenSSL: Enforce leaf cert expiry check with server cert pinning When wpa_supplicant is configured to use EAP authentication with ca_cert="hash://server/sha256/", the connection is set to server_cert_only mode. In this mode, all leaf certificate validation errors are currently ignored if the hash matches. This behavior was introduced in commit 00033a0903f6 ("OpenSSL: Always accept pinned certificates") to ignore chain validation problems [1], but it also unintentionally ignores expiry and not-yet-valid errors on the leaf certificate. This patch changes the validation logic under servert_cert_only mode so that expiry (X509_V_ERR_CERT_HAS_EXPIRED) and not-yet-valid (X509_V_ERR_CERT_NOT_YET_VALID) errors are not ignored, while other validation errors continue to be bypassed if the hash matches. If expiry checks must be disabled, the existing tls_disable_time_checks option can still be used. [1] https://lists.infradead.org/pipermail/hostap/2015-March/032240.html Signed-off-by: Rathan Appana --- diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 625d4fec9..f172241b4 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2764,7 +2764,9 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) err_str = "Server certificate mismatch"; err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; preverify_ok = 0; - } else if (!preverify_ok) { + } else if (!preverify_ok && + err != X509_V_ERR_CERT_HAS_EXPIRED && + err != X509_V_ERR_CERT_NOT_YET_VALID) { /* * Certificate matches pinned certificate, allow * regardless of other problems.