[openssl-users] Verify callback to ignore certificate expiry

Viktor Dukhovni openssl-users at dukhovni.org
Thu Dec 3 17:07:31 UTC 2015

On Thu, Dec 03, 2015 at 05:00:12PM +0000, Nounou Dadoun wrote:

> Calling 
> 	X509_STORE_CTX_set_error(ctx, X509_V_OK);
> Is actually what I'm doing already but I was worried that it would then
> ignore any other errors (e.g. bad signature etc.);

No, because is error is reported separately, and you're not setting
"ok = 1" for the other errors.

> I'd actually thought
> the errors might be ORed together but that doesn't look like the case.

Each error is reported separately.

> So does it invoke the callback for each error (which is sort of a convoluted way of ORing)?

Yes, though I don't think of it as "ORing".

> If I say ok to EXPIRED will it catch a bad signature?



More information about the openssl-users mailing list