From d8c0309d92a3f9e9dcbe6d7a5802e7cc367a703c Mon Sep 17 00:00:00 2001
From: Nicolas Escande <nescande@freebox.fr>
Date: Wed, 28 Jul 2021 16:09:15 +0200
Subject: [PATCH 5/5] add no-verify-date to skip certificate date checks

This is usefull when using pinned CA on embedded systems that may not
have a valid date (when there is no connectivity)
---
 src/openvpn/options.c     | 6 ++++++
 src/openvpn/ssl_common.h  | 1 +
 src/openvpn/ssl_openssl.c | 6 ++++++
 3 files changed, 13 insertions(+)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f51fc947..bf2b4c69 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -665,6 +665,7 @@ static const char usage_message[] =
     "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
     "                  key usage and extended key usage based on RFC3280 TLS rules.\n"
     "                  t = 'client' | 'server'.\n"
+    "--no-verify-date : Ignore date when verifying peer certificate.\n"
 #ifdef ENABLE_PKCS11
     "\n"
     "PKCS#11 Options:\n"
@@ -8459,6 +8460,11 @@ add_option(struct options *options,
             goto err;
         }
     }
+    else if (streq(p[0], "no-verify-date") && !p[1])
+    {
+        VERIFY_PERMISSION(OPT_P_GENERAL);
+        options->ssl_flags |= SSLF_SKIP_VERIFY_DATE;
+    }
     else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
     {
         VERIFY_PERMISSION(OPT_P_TLS_PARMS);
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 73f18e59..76a75b0b 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -350,6 +350,7 @@ struct tls_options
 #define SSLF_TLS_VERSION_MAX_SHIFT    10
 #define SSLF_TLS_VERSION_MAX_MASK     0xF  /* (uses bit positions 10 to 13) */
 #define SSLF_TLS_DEBUG_ENABLED        (1<<14)
+#define SSLF_SKIP_VERIFY_DATE         (1<<15)
     unsigned int ssl_flags;
 
 #ifdef MANAGEMENT_DEF_AUTH
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 64304f22..271c7668 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -360,6 +360,12 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
     SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_OFF);
     SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback);
 
+    /* skip certificate date validation */
+    if (ssl_flags & SSLF_SKIP_VERIFY_DATE) {
+        X509_VERIFY_PARAM *param = SSL_CTX_get0_param(ctx->ctx);
+        X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME);
+    }
+
     /* Require peer certificate verification */
     int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
     if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
-- 
2.32.0