From: Rathan Appana Date: Thu, 25 Sep 2025 16:17:45 +0000 (+0200) Subject: OpenSSL: Leaf certificate time validity check when no CA is configured X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df739e9e7c24adfbba51266bd0e4ba6489e6cda0;p=thirdparty%2Fhostap.git OpenSSL: Leaf certificate time validity check when no CA is configured When ca_cert_verify=0 (CA is not configured) the callback overrides all OpenSSL errors, including time validity. Add an explicit leaf (depth 0) check and do not override X509_V_ERR_CERT_HAS_EXPIRED/NOT_YET_VALID, unless TLS_CONN_DISABLE_TIME_CHECKS is set. This preserves the existing behavior of ignoring chain/issuer errors in no-CA mode; pinning/CRL/OCSP/name checks are unchanged. Signed-off-by: Rathan Appana --- diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index a87baf6c5..625d4fec9 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2700,7 +2700,27 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) suffix_match = conn->suffix_match; domain_match = conn->domain_match; - if (!preverify_ok && !conn->ca_cert_verify) + if (!conn->ca_cert_verify && depth == 0 && + !(conn->flags & TLS_CONN_DISABLE_TIME_CHECKS)) { + if (X509_cmp_current_time(X509_get_notBefore(err_cert)) > 0) { + wpa_printf(MSG_INFO, + "OpenSSL: Server certificate is not valid at the current time"); + err = X509_V_ERR_CERT_NOT_YET_VALID; + X509_STORE_CTX_set_error(x509_ctx, err); + preverify_ok = 0; + } else if (X509_cmp_current_time(X509_get_notAfter(err_cert)) < + 0) { + wpa_printf(MSG_INFO, + "TLS: Server certificate has expired"); + err = X509_V_ERR_CERT_HAS_EXPIRED; + X509_STORE_CTX_set_error(x509_ctx, err); + preverify_ok = 0; + } + } + + if (!preverify_ok && !conn->ca_cert_verify && + !(err == X509_V_ERR_CERT_HAS_EXPIRED || + err == X509_V_ERR_CERT_NOT_YET_VALID)) preverify_ok = 1; if (!preverify_ok && depth > 0 && conn->server_cert_only) preverify_ok = 1;