wrong time?

Jeff Sadowski jeff.sadowski at gmail.com
Wed May 7 10:04:31 EDT 2008


On Wed, May 7, 2008 at 3:16 AM, Jouni Malinen <j at w1.fi> wrote:
> On Mon, May 05, 2008 at 04:07:11PM -0600, Jeff Sadowski wrote:
>
>  > I have a mobile linux device that has no RTC as such if I start the
>  > device to connect without setting the clock first I get
>  >
>  > wpa_supplicant -Dmarvell -iwlan0 -c/etc/wpa_supplicant.conf -w
>  > ioctl[SIOCSIWPMKSA]: Invalid argument
>  > Trying to associate with 00:0b:0e:26:d2:80 (SSID='ABBA1X' freq=2437 MHz)
>  > Associated with 00:0b:0e:26:d2:80
>  > CTRL-EVENT-EAP-STARTED EAP authentication started
>  > CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
>  > X509: Certificate not valid (now=1210001377 not_before=1156333193
>  > not_after=1187869193)
>
>
> > I would like to have the device set the time automatically but only if
>  > it has to.
>
>  Is the time used for anything else on the device?

If it was i would use ntp after connecting

>
>
>  > Is there a way to have it try and connect first without really connecting?
>
>  Well, you could disable the part of the certificate validation that
>  verifies the notBefore/notAfter information if you do not have time
>  easily available on your client device. Sure, this would reduce the
>  security a bit if someone could get the private key for an expired
>  certificate. However, there is not really much else that could be done
>  here to make this more secure since you cannot really trust the network
>  to provide you the correct time before you have authenticated it
>  successfully..
>

Can I do this with an option in wpa_supplicant.conf? or a flag to
wpa_supplicant?

>
>  > Just have it spit the above information to a script so that it can
>  > determin it needs to set the time to half way between
>  > not_before=1156333193 and not_after=1187869193
>
>  If your goal is just to get connected without much concern about the
>  potential security issue, it would be easier to just ignore the time
>  validity check. There is no guarantees that this server/CA certificate
>  has valid timestamp at this point and as such, just setting the client
>  time to somewhere between the validity period does not really make much
>  sense.
>

Again can I do this without hacking wpa_supplicant? If I need to hack,
the script for now works better
Its easier for me to distribute a script than a patch for an external
build environment.

>
>  > Or better yet is there a way to have wpa_supplicant set the time as it
>  > is connecting?
>
>  The problem here is that there is no trusted source of the time at this
>  point. If you do not have RTC on the device, you will likely need to
>  decide between either modifying the hardware to have either an RTC (or a
>  somewhat permanent place for storing the current time in a way that
>  would survive reboots) or reduce security a bit by disabling the
>  validity check for certificate notBefore/notAfter times.
>

There is no RTC I don't really need the time I was just setting it for
the certificate.

>  In theory, you could connect first and then try to query the current
>  time from some external trusted host and immediately disconnect if the
>  resulting time would cause any of the certificate validation steps to
>  fail. However, this would depend on that external trusted host being
>  available and being able to verify that properly may end up depending on
>  verifying the current time..
>
>  I don't think it would be worthwhile to make a hack that updates the
>  time based on the notBefore/notAfter dates from a failed authentication
>  attempt. It does not really increase security at all and as such I
>  consider it to be just unneeded extra complexity. Simply removing the
>  validity period verification may very well be acceptable compromise for
>  this type of device.
>

No it doesn't I was just trying somehow to automate the process of
trusting the cert. The script is very clumsy. It is harder to compile
code for this device than it is writing a clumsy script. To compile
code i need to work on an external computer for now since it doesn't
have network file systems via default. and it does not have enough
room for its own build environment.  I would like an option if it
doesn't exist not to validate.

>  --
>  Jouni Malinen                                            PGP id EFC895FA
>  _______________________________________________
>  HostAP mailing list
>  HostAP at lists.shmoo.com
>  http://lists.shmoo.com/mailman/listinfo/hostap
>


More information about the HostAP mailing list