SSL certificate verification

Jan Just Keijser janjust at nikhef.nl
Wed Dec 18 16:10:42 UTC 2019


On 18/12/19 09:54, Mody, Darshan Arvindkumar (Darshan) wrote:
>
> Hi
>
> We are using SSL_CTX_use_certificate and 
> SSL_CTX_use_certificate_chain_file APIs to load the certificates.
>
> My query is when we are loading the certificate in the Context does 
> openssl verify the certificates for e.g. whether the certificate is 
> expired already etc.
>
>
the short answer is no, it does not; the openssl library will let you 
load expired/invalid certificates if you do not do any explicit checks.  
Use a verify_callback and call X509_verify_cert() to check the validity.

HTH,

JJK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191218/523c8d27/attachment-0001.html>


More information about the openssl-users mailing list