[openssl-users] Verify callback to ignore certificate expiry

Nounou Dadoun nounou.dadoun at avigilon.com
Thu Dec 3 17:11:17 UTC 2015


Thanks for your help, I posted the sample (which I guess is a little misleading given that it's taken straight off the OpenSSL page I noted) and not what it currently does which is very close to what you've suggested.  So that's one problem I don't have to worry about!  Thanks again  ... N


Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632 
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn


This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.



-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Thursday, December 03, 2015 9:08 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Verify callback to ignore certificate expiry

On Thu, Dec 03, 2015 at 05:00:12PM +0000, Nounou Dadoun wrote:

> Calling 
> 	X509_STORE_CTX_set_error(ctx, X509_V_OK); Is actually what I'm doing 
> already but I was worried that it would then ignore any other errors 
> (e.g. bad signature etc.);

No, because is error is reported separately, and you're not setting "ok = 1" for the other errors.

> I'd actually thought
> the errors might be ORed together but that doesn't look like the case.

Each error is reported separately.

> So does it invoke the callback for each error (which is sort of a convoluted way of ORing)?

Yes, though I don't think of it as "ORing".

> If I say ok to EXPIRED will it catch a bad signature?

Yes.

-- 
	Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list