My team was recently made aware of a change in the time comparison logic in openssl to adhere to RFC5280 requirements . This change will be in the upcoming 1.0.2p and 1.1.0i releases. We've had discussions regarding the impact to legacy devices in the field and feel the change could be detrimental if enabled by default.
We've seen fractional time used in many cases, for example the IAIK crypto library generated fractional times for quite a while. I believe the issue with the IAIK library has been fixed, but products still have those certs embedded in them today. In reading the discussion linked below it seems the only impetus for this change was to meet RFC5280, not that allowing fractional times was any specific vulnerability. https://github.com/openssl/openssl/issues/2620<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_issues_2620&d=DwMFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=Lwc9LOtfM8pc8gkaABxWdUutvh8gwoL2KvhYe2d4y3Q&s=7DMTtQYOol3SGlQwP-5nyNTMX8ulbcaYRt5_PF8ol7g&e=> Is there any option for this going forward, removal, compile-time enabled or part of the strict checks ? Thanks ! Barry Fussell [http://www.cisco.com/web/europe/images/email/signature/tomorrow_anthem_H.png] Barry Fussell Technical Leader Security & Trust Organization [email protected]<mailto:[email protected]> Phone: +1 919 392 2920 Cisco Systems, Inc. 7025-2 Kit Creek Road Research Triangle Park, NC 27709 United States Cisco.com<http://www.cisco.com/> [http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.
_______________________________________________ openssl-project mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-project
![http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think](http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think){kind=link}