From 405a4a7f3e60310095d7ef244e69d9acccc12322 Mon Sep 17 00:00:00 2001
From: Ismael Luceno <ismael@iodev.co.uk>
Date: Sun, 1 Nov 2020 01:59:11 +0100
Subject: [PATCH for 2.9] Fix compatibility with pre-RFC-5280 certificates

Allow GENERALIZEDTIME for dates before 2050, it isn't a security issue, and
enables interoperability with older software.

Based on a patch by Johan de Vries <devries@wivion.nl>.
---
 crypto/x509/x509_vfy.c            |  3 +++
 1 files changed, 3 insertions(+)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index e98272a6c3..a3dd4e798d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1885,6 +1885,9 @@ X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafte
 	if (type == -1)
 		goto out; /* invalid time */

+	/* Allow GENERALIZEDTIME for dates before 2050, it isn't a security
+	 * issue, and enables interoperability with older software. */
+	if (type != V_ASN1_GENERALIZEDTIME)
 	/* RFC 5280 section 4.1.2.5 */
 	if (tm1.tm_year < 150 && type != V_ASN1_UTCTIME)
 		goto out;
--
2.28.0