SSL certificate verification

Viktor Dukhovni openssl-users at
Wed Dec 18 17:40:33 UTC 2019

> On Dec 18, 2019, at 11:10 AM, Jan Just Keijser <janjust at> wrote:
> the short answer is no, it does not; the openssl library will let you load expired/invalid certificates if you do not do any explicit checks.  Use a verify_callback and call X509_verify_cert() to check the validity.

The verify callback is not needed, unless one wants to log
the chain or allow some subset of errors.  What is needed
is an appropriate CAfile and/or CApath or an explicitly
specified trust-anchor stack (X509_STORE_CTX_set0_trusted()),
and of course X509_STORE_CTX_new(), X509_STORE_CTX_init()
and perhaps X509_STORE_CTX_free() unless the the object
is reused for the lifetime of the process.


More information about the openssl-users mailing list