[PATCH] OpenSSL: Enforce leaf cert expiry check with server cert pinning
Jouni Malinen
j at w1.fi
Mon Oct 6 14:21:00 PDT 2025
On Thu, Oct 02, 2025 at 07:01:25PM +0200, Rathan Appana wrote:
> When wpa_supplicant is configured to use EAP authentication with
> ca_cert="hash://server/sha256/<hex>", the connection is set to
> server_cert_only mode. In this mode, all leaf certificate validation
> errors are currently ignored if the hash matches. This behavior was
> introduced in commit 00033a0903f6 ("OpenSSL: Always accept pinned
> certificates") to ignore chain validation problems [1], but it also
> unintentionally ignores expiry and not-yet-valid errors on the leaf
> certificate.
>
> This patch changes the validation logic under servert_cert_only mode so
> that expiry (X509_V_ERR_CERT_HAS_EXPIRED) and not-yet-valid
> (X509_V_ERR_CERT_NOT_YET_VALID) errors are not ignored, while other
> validation errors continue to be bypassed if the hash matches. If expiry
> checks must be disabled, the existing tls_disable_time_checks option can
> still be used.
>
> [1] https://lists.infradead.org/pipermail/hostap/2015-March/032240.html
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list