[openssl-users] Verify callback to ignore certificate expiry

Nounou Dadoun nounou.dadoun at avigilon.com
Thu Dec 3 17:00:12 UTC 2015 

Calling 
	X509_STORE_CTX_set_error(ctx, X509_V_OK);
Is actually what I'm doing already but I was worried that it would then ignore any other errors (e.g. bad signature etc.); I'd actually thought the errors might be ORed together but that doesn't look like the case.
So does it invoke the callback for each error (which is sort of a convoluted way of ORing)?

If I say ok to EXPIRED will it catch a bad signature?

Thanks for your help ... N 


Nou Dadoun

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Thursday, December 03, 2015 7:00 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Verify callback to ignore certificate expiry

On Thu, Dec 03, 2015 at 06:01:36AM +0000, Nou Dadoun wrote:

> Another quick question, I'm setting up a server ssl handshake on a device on which the certificate verification will sometimes fail not because the certificate is bad but because the time is not set properly on the device.
> 
> I'm doing an ssl verify callback that is almost identical to one of 
> the examples in 
> https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_set_verif
> y_cb.html
> I.e.
> 
>  int verify_callback(int ok, X509_STORE_CTX *ctx)
>         {
>         int err = X509_STORE_CTX_get_error(ctx);
>         X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
>         if (err == X509_V_ERR_CERT_HAS_EXPIRED)
>                 {
>                 if (check_is_acceptable_expired_cert(err_cert)
>                         return 1;
>                 }
>         return ok;
>         }
> 
> I have some other slight differences but basically what I need is an 
> implementation for the (fictitious) 
> "check_is_acceptable_expired_cert(err_cert)" function call.
> 
> Is there any quick way of doing this that doesn't involve completely 
> reconstructing the steps for verification (and leaving one out)?  I 
> can do that if I need to but this is only one part of a larger 
> endeavour that will take much more time - any pointers? thanks .... N

The required function is mostly a NOOP, after you return 1, OpenSSL will continue to perform all the other checks it would do had the certificate not been expired.

However, you probably want the verification result to be OK at the completion of the handshake (have SSL_get_verify_result() return X509_V_OK).  So all that the code needs to do is to set the error status to X509_V_OK.  

	X509_STORE_CTX_set_error(ctx, X509_V_OK);

Provided you return 0 (abort the handshake on any errors you're not explicitly ignoring, you're OK.

If you ever decide to continue handshakes despite other errors, then more care is required to restore any previous error status (which you'll need to store somewhere) when ignoring the errors you want to suppress.

-- 
	Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list