wrong time?

[Jouni Malinen]

On Mon, May 05, 2008 at 04:07:11PM -0600, Jeff Sadowski wrote:

> I have a mobile linux device that has no RTC as such if I start the
> device to connect without setting the clock first I get
> 
> wpa_supplicant -Dmarvell -iwlan0 -c/etc/wpa_supplicant.conf -w
> ioctl[SIOCSIWPMKSA]: Invalid argument
> Trying to associate with 00:0b:0e:26:d2:80 (SSID='ABBA1X' freq=2437 MHz)
> Associated with 00:0b:0e:26:d2:80
> CTRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> X509: Certificate not valid (now=1210001377 not_before=1156333193
> not_after=1187869193)

> I would like to have the device set the time automatically but only if
> it has to.

Is the time used for anything else on the device?

> Is there a way to have it try and connect first without really connecting?

Well, you could disable the part of the certificate validation that
verifies the notBefore/notAfter information if you do not have time
easily available on your client device. Sure, this would reduce the
security a bit if someone could get the private key for an expired
certificate. However, there is not really much else that could be done
here to make this more secure since you cannot really trust the network
to provide you the correct time before you have authenticated it
successfully..

> Just have it spit the above information to a script so that it can
> determin it needs to set the time to half way between
> not_before=1156333193 and not_after=1187869193

If your goal is just to get connected without much concern about the
potential security issue, it would be easier to just ignore the time
validity check. There is no guarantees that this server/CA certificate
has valid timestamp at this point and as such, just setting the client
time to somewhere between the validity period does not really make much
sense.

> Or better yet is there a way to have wpa_supplicant set the time as it
> is connecting?

The problem here is that there is no trusted source of the time at this
point. If you do not have RTC on the device, you will likely need to
decide between either modifying the hardware to have either an RTC (or a
somewhat permanent place for storing the current time in a way that
would survive reboots) or reduce security a bit by disabling the
validity check for certificate notBefore/notAfter times.

In theory, you could connect first and then try to query the current
time from some external trusted host and immediately disconnect if the
resulting time would cause any of the certificate validation steps to
fail. However, this would depend on that external trusted host being
available and being able to verify that properly may end up depending on
verifying the current time..

I don't think it would be worthwhile to make a hack that updates the
time based on the notBefore/notAfter dates from a failed authentication
attempt. It does not really increase security at all and as such I
consider it to be just unneeded extra complexity. Simply removing the
validity period verification may very well be acceptable compromise for
this type of device.

-- 
Jouni Malinen                                            PGP id EFC895FA