Comments (1)
ioerror
commented on September 26, 2024
-l | --leap
Normally, the passing of time or time yet to come ensures that SSL verify functions will fail to validate certificates. Commonly,
X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED are painfully annoying but still very important error states. When the only
issue with the certificates in question is the timing information, this option allows you to trust the remote system's time, as long as it is
after RECENT_COMPILE_DATE and before MAX_REASONABLE_TIME. The connection will only be trusted if X509_V_ERR_CERT_NOT_YET_VALID and/or
X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are the only errors encountered. The SSL verify function will not return X509_V_OK if there are any
other issues, such as self-signed certificates or if the user pins to a CA that is not used by the remote server. This is useful if your RTC
is broken on boot and you are unable to use DNSEC until you've at least had some kind of leap of cryptographically assured data.
In theory, --leap should do exactly what you suggest if the remote system time is after RECENT_COMPILE_DATE and before MAX_REASONABLE_TIME which seems like a fine bounding. This happens without setting the clock at verification time and only sets it if the verification errors are only related to violating those time constraints. Isn't that almost what you want?
from tlsdate.
Related Issues (20)
- Long options with arguments don't accept arguments HOT 1
- Test for BIG/LITTLE ENDIAN in test-bio.c
- Time
- minor building issues on debian testing HOT 2
- Sandboxing on other platforms HOT 1
- Tlsdate has no installation candidate HOT 2
- Make tlsdate read proxy environment variables if present
- tlsdate fails to build with openssl-1.1 (new API) HOT 1
- TLS 1.3
- tlsdate-0.0.13 fails to compile with libressl-2.5.0 HOT 1
- Help: How can I disable automatic start of tlsdated? HOT 3
- How do I embed tlsdate into a C++ application? Is there any sort of "libtlsdate"?
- Why times are all different? Only "google.com" returns accurate time! HOT 2
- By default tlsdate uses the non-standard 'nogroup' group
- [EXPIRED] Windows binary
- Last commit 2015, is this project dead? HOT 11
- compile error on raspberrypi HOT 1
- Compile error
- Make error in ubuntu 18.04 HOT 1
- where to find tlsdate servers? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tlsdate.