Would libfaketime or run_as_date help?


Date: Thu, 11 Jul 2019 10:48:39 -0400
From: Christopher Schultz <chris@christopherschultz.net>
To: stunnel-users@stunnel.org
Subject: Re: [stunnel-users] Possible to verify client certificate BUT ignore expiration-date?

Eric,

(Coming back to this.)

On 5/14/19 14:41, Eric Eberhard wrote:
> Chris,

> There are "real" certificates you purchase from a certificate authority and pay an annual fee.  If this is https you pretty much need that or the user gets errors.  By private I meant "self signed."

> However, openssl has an option to create a certificate.  You type the name, address, whatever, and it makes a certificate.  It is JUST AS GOOD as a purchased certificate (except https or perhaps others that want certificate authority certificates).  I use them for FTP and SSH and many things .

> openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

> You can put your own expire date(days) when you make the cert.  A screen will come up and ask 20 questions :-)  If you cannot do it (don't have openssl installed) I can do it for you.  It certainly will work as a stop-gap.  We don't need it for https as it is Apache on a machine that is hosted.

So... everything above is exactly what we do with this vendor. We don't
have a problem getting a well-known-CA to sign the certificate. We have
(had) a problem with the vendor just getting the damned work done.

Yes, I know it is a 5-minute process but when you are dealing with a big
company where you have to have 6 managers in multiple time zones call
each other to confirm the problem, have a meeting about the solution,
determine a course of action, allocate a resource to perform the work,
QA the solution, then get an IT review of everything before placing
something into production, that 5-minute fix can take days or weeks.

I just wanted to say "I still trust this certificate, even though it has
expired."

Is that possible to do without recompiling stunnel?

Thanks,
-chris