Add option for relaxed X509 time verification. The certificates are not valid according to the RFC, but are in wide distribution across the internet. Hence the request to add a compile-time flag to accept these certificates if wanted by the application. If POLARSSL_RELAXED_X509_DATE is enabled it will allow dates without seconds, and allow dates with timezones (but doesn't actually use the timezone). Patch provided by OpenVPN.

commit: 17da9dd82931abdf054a01c466bce45e7d12b742 [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Mon Sep 19 09:35:18 2016 +0100
committer: Janos Follath <janos.follath@arm.com> Fri Sep 30 09:04:18 2016 +0100
tree: 2ba1f0c12a957a9d0bb89420047906dbdf3476a9
parent: 2d01f2d4c50cac7ba257ef2af791d97e9697c01c [diff] [blame]
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 8fdf36e..4e52790 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -1177,6 +1177,17 @@
 //#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 
 /**
+ * \def POLARSSL_X509_ALLOW_RELAXED_DATE
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering ASN.1 UTCTime or ASN.1 GeneralizedTime without seconds or
+ * with a time zone.
+ *
+ * Uncomment to prevent an error.
+ */
+//#define POLARSSL_X509_ALLOW_RELAXED_DATE
+
+/**
  * \def POLARSSL_X509_CHECK_KEY_USAGE
  *
  * Enable verification of the keyUsage extension (CA and leaf certificates).
commit	17da9dd82931abdf054a01c466bce45e7d12b742	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Mon Sep 19 09:35:18 2016 +0100
committer	Janos Follath <janos.follath@arm.com>	Fri Sep 30 09:04:18 2016 +0100
tree	2ba1f0c12a957a9d0bb89420047906dbdf3476a9
parent	2d01f2d4c50cac7ba257ef2af791d97e9697c01c [diff] [blame]