[PATCH] tls_openssl: Enable leaf certficate time validity check when no CA is configured
Jouni Malinen
j at w1.fi
Mon Oct 6 14:20:39 PDT 2025
On Thu, Sep 25, 2025 at 06:17:45PM +0200, Rathan Appana wrote:
> When ca_cert_verify=0 (CA is not configured) the callback overrides all OpenSSL errors,
> including time validity. Add an explicit leaf (depth 0) check and do not overrides X509_V_ERR_CERT_HAS_EXPIRED/NOT_YET_VALID, unless TLS_CONN_DISABLE_TIME_CHECKS is set.
>
> This preserves the existing behavior of ignoring chain/issuer errors in no-CA mode; pinning/CRL/OCSP/name checks are unchanged.
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list