question about certificate verify
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Aug 26 14:46:16 UTC 2019
On Mon, Aug 26, 2019 at 02:39:40PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> > To ignore expiration of only the leaf certificate, you
> > need a verification callback that checks the error
> > reason at depth 0 and if it is expiration, returns
> > "ok = 1" anyway.
>
> Is there a potential problem - if a certificate has multiple issues, such
> as bad signature and certificate expired? Would all of these conditions
> be reported, or only the first one detected?
The verification callback is called separately for each error
condition (and at least once on success if no errors are seen).
It is therefore possible to ignore *just* the expiration of a
particular chain element without ignoring other errors.
--
Viktor.
More information about the openssl-users
mailing list