Search code examples
csslopenssl

Make OpenSSL accept expired certificates

I'm digging through the source code, trying to find a way to get OpenSSL to always accept expired certificates. I can't find the link between the expired errors/alarms and the actual checking code. Can anyone point me in the right direction? (My C isn't great, I'm relying on what can be carried over from C++)

The reason I want to accept expired certificates is because we have a tonne of embedded systems whose certs will expire in a few months (updating not an option because they're either off or in mass storage). The server these connect to knows to only accept these systems so allowing expired certs seemed like the most straightforward solution.

Solution

  • Make OpenSSL accept expired certificates...

    In your verification callback function, you should accept both X509_V_OK and X509_V_ERR_CERT_HAS_EXPIRED. Maybe something like:

    int verify_callback(int preverify, X509_STORE_CTX* x509_ctx)
{
    /* For error codes, see http://www.openssl.org/docs/apps/verify.html  */
    int err = X509_STORE_CTX_get_error(x509_ctx);

    if(preverify == 0)
    {
        if(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
            fprintf(stdout, "  Error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\n");
        else if(err == X509_V_ERR_CERT_UNTRUSTED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_UNTRUSTED\n");
        else if(err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
            fprintf(stdout, "  Error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\n");
        else if(err == X509_V_ERR_CERT_NOT_YET_VALID)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_NOT_YET_VALID\n");
        else if(err == X509_V_ERR_CERT_HAS_EXPIRED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_HAS_EXPIRED\n");
        else if(err == X509_V_OK)
            fprintf(stdout, "  Error = X509_V_OK\n");
        else
            fprintf(stdout, "  Error = %d\n", err);
    }

    if (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED)
        return 1;

    return preverify;
}

    Another problem with older mobile and IoT gadgets are lack of clocks and/or aux power. You may need to allow X509_V_ERR_CERT_NOT_YET_VALID too. You will observe this for a device that powers on and thinks its in the 1990s or 2000s. Older phones without a SIM experience this all the time. I've also observed it in modern [low end] Android phones.