[openssl-users] Verify callback to ignore certificate expiry

Thu Dec 3 06:01:36 UTC 2015

Another quick question, I'm setting up a server ssl handshake on a device on which the certificate verification will sometimes fail not because the certificate is bad but because the time is not set properly on the device.

I'm doing an ssl verify callback that is almost identical to one of the examples in https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_set_verify_cb.html
I.e.

 int verify_callback(int ok, X509_STORE_CTX *ctx)
        {
        int err = X509_STORE_CTX_get_error(ctx);
        X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
        if (err == X509_V_ERR_CERT_HAS_EXPIRED)
                {
                if (check_is_acceptable_expired_cert(err_cert)
                        return 1;
                }
        return ok;
        }

I have some other slight differences but basically what I need is an implementation for the (fictitious) "check_is_acceptable_expired_cert(err_cert)" function call.

Is there any quick way of doing this that doesn't involve completely reconstructing the steps for verification (and leaving one out)?  I can do that if I need to but this is only one part of a larger endeavour that will take much more time - any pointers? thanks .... N