Re: Adding a CURLOPT_SSL_OPTIONS value to disable date checking

Tue, 20 Mar 2018 21:50:04 -0700 


On 03/21/2018 04:36 AM, Tabor Kelly wrote:



Also, let's say that you are going to ship an IoT product without a 
realtime clock. Your first libcurl request could be to a C&C server to 
get the time, but you would need to use TLS and actually validate the 
chain of trust to prevent a MITM attack and you would need to disable 
the date checking (just for this first request). My pull request can 
be found here:

https://github.com/curl/curl/pull/2405

Just a suggestion: why don't you sync your IoT product clock to a public 
pool of NTP servers? NTP is not supported by curl, but there are some 
open-source projects that can run as a detached daemon to sync your 
clock. See http://www.ntp.org/downloads.html, https://chrony.tuxfamily.org/



NTP is unencrypted UDP and only deals with time: at its own level, there 
is no possible information leakage and a MITM can only fool your clock. 
While not 100% safe, it is still widely used. See 
http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf.



Even if you don't have access to the public Internet, you can set-up an 
autonomous NTP server on your LAN: it won't have the precision of 
stratum 1 servers, but can be tuned to be accurate enough for your needs.



In addition, if you want to set your IoT device time ASAP after power-up 
to avoid it "jumps" back to the time origin before NTP does its job, you 
can use my own daemon that loads time from a file early after power-on 
and saves it periodically. Of course, it requires some storage is 
available on the device. I use it successfully on very old PCs with flat 
batteries and on Raspberry Pi for a long time. Even if you don't use NTP 
but a C&C server, it can help you much providing you don't let your 
device off for months and the C&C server certificate renewal sets a 
start date in the past when installed. See 
https://github.com/monnerat/saveclock.



In any case, this is much more sane than bypassing certificate time 
range validity and will also benefit to other parts of your OS and 
application.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html





















					Reply via email to