[openssl-users] Verify callback to ignore certificate expiry
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Dec 3 17:07:31 UTC 2015
On Thu, Dec 03, 2015 at 05:00:12PM +0000, Nounou Dadoun wrote:
> Calling
> X509_STORE_CTX_set_error(ctx, X509_V_OK);
> Is actually what I'm doing already but I was worried that it would then
> ignore any other errors (e.g. bad signature etc.);
No, because is error is reported separately, and you're not setting
"ok = 1" for the other errors.
> I'd actually thought
> the errors might be ORed together but that doesn't look like the case.
Each error is reported separately.
> So does it invoke the callback for each error (which is sort of a convoluted way of ORing)?
Yes, though I don't think of it as "ORing".
> If I say ok to EXPIRED will it catch a bad signature?
Yes.
--
Viktor.
More information about the openssl-users
mailing list