使OpenSSL接受过期的证书 [英] Make OpenSSL accept expired certificates

问题描述

我正在研究源代码，试图找到一种使OpenSSL始终接受过期证书的方法.我找不到过期的错误/警报与实际检查代码之间的链接.谁能指出我正确的方向? (我的C不好，我依靠的是可以从C ++继承下来的东西)

I'm digging through the source code, trying to find a way to get OpenSSL to always accept expired certificates. I can't find the link between the expired errors/alarms and the actual checking code. Can anyone point me in the right direction? (My C isn't great, I'm relying on what can be carried over from C++)

我要接受过期证书的原因是因为我们有一吨嵌入式系统，其证书将在几个月后过期(由于它们已关闭或在大容量存储中，因此无法更新).这些连接到的服务器知道只接受这些系统，因此允许过期的证书似乎是最简单的解决方案.

The reason I want to accept expired certificates is because we have a tonne of embedded systems whose certs will expire in a few months (updating not an option because they're either off or in mass storage). The server these connect to knows to only accept these systems so allowing expired certs seemed like the most straightforward solution.

推荐答案

让OpenSSL接受过期的证书...

Make OpenSSL accept expired certificates...

在验证回调函数中，您应该同时接受X509_V_OK和X509_V_ERR_CERT_HAS_EXPIRED.也许像这样:

In your verification callback function, you should accept both X509_V_OK and X509_V_ERR_CERT_HAS_EXPIRED. Maybe something like:

int verify_callback(int preverify, X509_STORE_CTX* x509_ctx)
{
    /* For error codes, see http://www.openssl.org/docs/apps/verify.html  */
    int err = X509_STORE_CTX_get_error(x509_ctx);

    if(preverify == 0)
    {
        if(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
            fprintf(stdout, "  Error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\n");
        else if(err == X509_V_ERR_CERT_UNTRUSTED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_UNTRUSTED\n");
        else if(err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
            fprintf(stdout, "  Error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\n");
        else if(err == X509_V_ERR_CERT_NOT_YET_VALID)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_NOT_YET_VALID\n");
        else if(err == X509_V_ERR_CERT_HAS_EXPIRED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_HAS_EXPIRED\n");
        else if(err == X509_V_OK)
            fprintf(stdout, "  Error = X509_V_OK\n");
        else
            fprintf(stdout, "  Error = %d\n", err);
    }

    if (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED)
        return 1;

    return preverify;
}

较旧的移动和物联网小工具的另一个问题是缺少时钟和/或辅助电源.您可能还需要允许X509_V_ERR_CERT_NOT_YET_VALID.您会在1990年代或2000年代开机并认为其开机的设备中观察到这一点.没有SIM卡的旧手机一直都在经历这种情况.我也在现代的[低端] Android手机中观察到了它.

Another problem with older mobile and IoT gadgets are lack of clocks and/or aux power. You may need to allow X509_V_ERR_CERT_NOT_YET_VALID too. You will observe this for a device that powers on and thinks its in the 1990s or 2000s. Older phones without a SIM experience this all the time. I've also observed it in modern [low end] Android phones.

这篇关于使OpenSSL接受过期的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！