[En-Nut-Discussion] [PATCH 1/2] FIX: accept certificate without expiration date

Krzysztof Sawicki krzysztof.sawicki at mlabs.pl
Mon Apr 24 15:35:47 CEST 2017


On 24.04.2017 13:08, Uwe Bonnes wrote:
>>>>>> "Krzysztof" == Krzysztof Sawicki <krzysztof.sawicki at mlabs.pl> writes:
>
>     Krzysztof> --- nut/tls/x509.c | 2 +- 1 file changed, 1 insertion(+), 1
>     Krzysztof> deletion(-)
>
>     Krzysztof> diff --git a/nut/tls/x509.c b/nut/tls/x509.c index
>     Krzysztof> 2b483c7..310d26b 100644 --- a/nut/tls/x509.c +++
>     Krzysztof> b/nut/tls/x509.c @@ -385,7 +385,7 @@ int x509_verify(const
>     Krzysztof> CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) } /* check
>     Krzysztof> the not after date */ - if (tv.tv_sec > cert->not_after) + if
>     Krzysztof> ((cert->not_after != -1) && (tv.tv_sec > cert->not_after)) {
>     Krzysztof> ret = X509_VFY_ERROR_EXPIRED; goto end_verify; -- 2.7.4
>
> Dear  Krzysztof,
>
> can you give some reference that a certificate without 	expiration date is
> valid?

RFC5280 4.1.2.5

"In some situations, devices are given certificates for which no good
expiration date can be assigned. For example, a device could be
issued a certificate that binds its model and serial number to its
public key; such a certificate is intended to be used for the entire
lifetime of the device."

I think it is common in embedded devices. Implementing certificates' 
updating would be an overkill.

regards
-- 
Krzysztof Sawicki
MLabs sp. z o.o.
ul. Kaliska 21
61-131 Poznań

tel. 61 646 84 27

KRS: 0000390306
NIP: 7822533401


More information about the En-Nut-Discussion mailing list