question about certificate verify

Viktor Dukhovni openssl-users at
Mon Aug 26 14:46:16 UTC 2019

On Mon, Aug 26, 2019 at 02:39:40PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:

> > To ignore expiration of only the leaf certificate, you
> > need a verification callback that checks the error
> > reason at depth 0 and if it is expiration, returns
> > "ok = 1" anyway.
> Is there a potential problem - if a certificate has multiple issues, such
> as bad signature and certificate expired? Would all of these conditions
> be reported, or only the first one detected?

The verification callback is called separately for each error
condition (and at least once on success if no errors are seen).

It is therefore possible to ignore *just* the expiration of a
particular chain element without ignoring other errors.


More information about the openssl-users mailing list