Skip to content

X.509 certificate verification API when the platform doesn't have the current date #8979

New issue
New issue
Open
Open
X.509 certificate verification API when the platform doesn't have the current date#8979
Labels
api-breakThis issue/PR breaks the API and must wait for a new major versioncomponent-x509enhancementneeds-design-approvalsize-sEstimated task size: small (~2d)
@gilles-peskine-arm

Description

@gilles-peskine-arm
gilles-peskine-arm
opened on Mar 21, 2024

When MBEDTLS_HAVE_TIME_DATE is disabled, in Mbed TLS up to 3.x, X.509 silently skip expiration verification. This is an insecure default. Consider changing to always flag expiry, and allow a runtime option or callback to skip/ignore expiry.

There is already a callback to skip time verification, maybe that's enough? Maybe not well documented?

Metadata

Metadata

Assignees

No one assigned

    Labels

    api-breakThis issue/PR breaks the API and must wait for a new major versioncomponent-x509enhancementneeds-design-approvalsize-sEstimated task size: small (~2d)

    Type

    No type

    Projects

    Mbed TLS 4.0 planning

    Status

    Design needed
    Backlog for Mbed TLS

    Status

    Mbed TLS 4.0 SHOULD

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions