TLS not working due to certificate expiration date checks.

[epilys]

I haven't seen how the dynamic linking injection works in sdate, but it can be solved if the tls lib is added at the end of LD_PRELOAD. If the tls functions are static though, then there's nothing that can be done.

[epilys]

With certificate exp-check turned off, here's a screenshot of meli with sdate:

[df7cb]

Hi,
is there anything I should do on the sdate side?

[epilys]

Yes if you want to, there are some hacky workarounds but no catch-all solution.

it can be solved if the tls lib is added at the end of LD_PRELOAD.

Basically all libs defined in LD_PRELOAD are linked from right to left:

Objects are searched for and
added to the link map in the left-to-right order specified
in the list.
ld.so(8)

So if you test that a binary links to a library e.g. libssl or libgnutls.so (ldd "${binary}" | grep ...) it can append it at the end of LD_PRELOAD value. The TLS/SSL libraries will be linked first, getting the canonical time functions from libc.

[epilys]

Also I guess you can add the screenshot to "Programs compatible with sdate" in the website :)

[df7cb]

TBH I didn't even get what the problem is. What did you do exactly, how do I reproduce?

[epilys]

TLS libraries check that remote certificates have not expired. Since the dates are tampered with, they will not see valid certificates (i.e certificates that have expiration date in the future)