Add -S noverifytime to ftp to permit an unvalidated TLS connection when

you don't knwo what time it is

2 files changed, 10 insertions, 3 deletions

diff --git a/usr.bin/ftp/ftp.1 b/usr.bin/ftp/ftp.1
index daf7433a67c..c498896fa7d 100644
--- a/usr.bin/ftp/ftp.1
+++ b/usr.bin/ftp/ftp.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ftp.1,v 1.105 2017/01/03 17:00:04 deraadt Exp $
+.\"	$OpenBSD: ftp.1,v 1.106 2017/01/24 23:47:34 beck Exp $
 .\"	$NetBSD: ftp.1,v 1.22 1997/08/18 10:20:22 lukem Exp $
 .\"
 .\" Copyright (c) 1985, 1989, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)ftp.1	8.3 (Berkeley) 10/9/94
 .\"
-.Dd $Mdocdate: January 3 2017 $
+.Dd $Mdocdate: January 24 2017 $
 .Dt FTP 1
 .Os
 .Sh NAME
@@ -251,6 +251,8 @@ Perform server certificate validation.
 Don't perform server certificate validation.
 .It Cm muststaple
 Require the server to present a valid OCSP stapling in the TLS handshake.
+.It Cm noverifytime
+Disable validation of cetificate times and OCSP validation.
 .El
 .Pp
 By default, server certificate validation is performed, and if it fails
diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c
index aa460ad84da..66642f9ff7c 100644
--- a/usr.bin/ftp/main.c
+++ b/usr.bin/ftp/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.118 2017/01/21 08:33:07 krw Exp $	*/
+/*	$OpenBSD: main.c,v 1.119 2017/01/24 23:47:34 beck Exp $	*/
 /*	$NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $	*/
 
 /*
@@ -98,6 +98,8 @@ char * const ssl_verify_opts[] = {
 	"depth",
 #define SSL_MUSTSTAPLE	6
 	"muststaple",
+#define SSL_NOVERIFYTIME	7
+	"noverifytime",
 	NULL
 };
 
@@ -152,6 +154,9 @@ process_ssl_options(char *cp)
 		case SSL_MUSTSTAPLE:
 			tls_config_ocsp_require_stapling(tls_config);
 			break;
+		case SSL_NOVERIFYTIME:
+			tls_config_insecure_noverifytime(tls_config);
+			break;
 		default:
 			errx(1, "unknown -S suboption `%s'",
 			    suboptarg ? suboptarg : "");