Server certificate expiry time is not verified

Dear support,

We are connecting with an MQTT server with an expired server certificate. My expectation is that the handshake fails, but apparently the NRF9161 accepts the server. I make use of the Nordic SDK v3.3.1, modem firmware 2.0.2, MQTT helper with peer verify set to TLS_PEER_VERIFY_REQUIRED and offload sockets. After digging in the changelog I found this limitation: "Server certificate expiry time is not verified". This same limitation is also noted in the newest version (2.0.4).

Why does this limitation still exists and is there possibility to fix this?

kind regards,

Joost Raats

Parents

0 Benjamin 1 hour ago

Hi Joost,

The certificate expiry time is not verified during the TLS handshake, because the modem firmware cannot be guaranteed to have a valid calendar time. Time may be obtained from the network, but this is not guaranteed.

Without a valid time, it's possible that no TLS connection can be opened. To minimize that risk, certificate expiry is not validated. If this validation is a requirement for you, one solution is to move the TLS stack to the application core using Mbed TLS.

Best regards,
Benjamin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Benjamin 1 hour ago

Hi Joost,

The certificate expiry time is not verified during the TLS handshake, because the modem firmware cannot be guaranteed to have a valid calendar time. Time may be obtained from the network, but this is not guaranteed.

Without a valid time, it's possible that no TLS connection can be opened. To minimize that risk, certificate expiry is not validated. If this validation is a requirement for you, one solution is to move the TLS stack to the application core using Mbed TLS.

Best regards,
Benjamin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data