Bug - Library doesn't validate server certificate expiration

[JayNewstrom]

When trying to connect to a server with an expired certificate, the client connects successfully. This should be rejected, as it's a security risk.

[rojer]

this doesn't just apply to mqtt but to all TLS in mongoose os currently - time validation is not performed.
but i agree, it should be made possible, even if off by default (to maintain compatibility).

[JayNewstrom]

I see. That's not good! I'd like to help this get fixed. I'd be willing to do the work if you point me in the direction, and are willing to accept the direction.

[rojer]

there isn't much you can do, unfortunately, as mbedtls is a closed library in mos.
once 2.17 is out (soon), i think we can add a global setting, e.g. sys.cert_validity_check with possible values:

• 0 - no cert validity check, i.e. current behavior (default)
• 1 - check validity of certificates if wall time is set (i.e. mg_time() is something reasonable), otherwise allow.
• 2 - always check validity of certificates, meaning all connection will fail until time is set

does this sound reasonable?

[JayNewstrom]

This sounds great. Thanks!