mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard

Published 20 hours ago verified publisher icon Mbed-TLS

X.509 certificate verification API when the platform doesn't have the current date

Open gilles-peskine-arm opened this issue 11 months ago • 1 comments

When MBEDTLS_HAVE_TIME_DATE is disabled, in Mbed TLS up to 3.x, X.509 silently skip expiration verification. This is an insecure default. Consider changing to always flag expiry, and allow a runtime option or callback to skip/ignore expiry.

There is already a callback to skip time verification, maybe that's enough? Maybe not well documented?

gilles-peskine-arm avatar Mar 21 '24 15:03 gilles-peskine-arm

Needed in terms of design:

  • What needs to change in the code.
  • How we test it.
  • We should probably provide some sample code (or a knowledge base entry).
  • Are we losing any functionality?

gilles-peskine-arm avatar Aug 07 '24 14:08 gilles-peskine-arm