[openssl-users] Verify callback to ignore certificate expiry

Viktor Dukhovni openssl-users at dukhovni.org
Thu Dec 3 14:59:48 UTC 2015

On Thu, Dec 03, 2015 at 06:01:36AM +0000, Nounou Dadoun wrote:

> Another quick question, I'm setting up a server ssl handshake on a device on which the certificate verification will sometimes fail not because the certificate is bad but because the time is not set properly on the device.
> I'm doing an ssl verify callback that is almost identical to one of the examples in https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_set_verify_cb.html
> I.e.
>  int verify_callback(int ok, X509_STORE_CTX *ctx)
>         {
>         int err = X509_STORE_CTX_get_error(ctx);
>         X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
>         if (err == X509_V_ERR_CERT_HAS_EXPIRED)
>                 {
>                 if (check_is_acceptable_expired_cert(err_cert)
>                         return 1;
>                 }
>         return ok;
>         }
> I have some other slight differences but basically what I need is an
> implementation for the (fictitious)
> "check_is_acceptable_expired_cert(err_cert)" function call.
> Is there any quick way of doing this that doesn't involve completely
> reconstructing the steps for verification (and leaving one out)?  I can
> do that if I need to but this is only one part of a larger endeavour that
> will take much more time - any pointers? thanks .... N

The required function is mostly a NOOP, after you return 1, OpenSSL
will continue to perform all the other checks it would do had the
certificate not been expired.

However, you probably want the verification result to be OK at the
completion of the handshake (have SSL_get_verify_result() return
X509_V_OK).  So all that the code needs to do is to set the error
status to X509_V_OK.  

	X509_STORE_CTX_set_error(ctx, X509_V_OK);

Provided you return 0 (abort the handshake on any errors you're
not explicitly ignoring, you're OK.

If you ever decide to continue handshakes despite other errors,
then more care is required to restore any previous error status
(which you'll need to store somewhere) when ignoring the errors
you want to suppress.


More information about the openssl-users mailing list