Okay, so if I get this right, you're saying you want to verify the server certificate BUT you do NOT want to check it's activation date / expiry date (i.e. the time range over which the certificate is valid)?
I'll forego the very bad security implications of such a wish (those time ranges are there for a reason, after all), you can do such a thing by providing your own certificate validation callback which does forego the time checks. You can register such a callback using the methods I mentioned before. For an example verify callback, see the OpenSSL apps/verify.c source code (this is off the top of my head; I may be wrong with the filename, but the apps/ directory contains several sample applications which showcase server- and client-cert verify callbacks; search the apps/*.c code for places where those registration methods are called and you'll be able to track down the verify callbacks from there. I'll see if I can provide a little more detail this evening, but that depends very much on what others have planned for me once I get home ;-) Anyway, cave canem: from what I read in your request you are treading dangerous security ground. So far, Ger On Fri, Jan 23, 2009 at 2:07 PM, Ajeet kumar.S <ajeetkuma...@jasmin-infotech.com> wrote: > Dear Ger Hobbelt, > Thank you for your help and Time. > I want to validate only the signature of the server certificate. > For example in peer verification, ssl will check time of client > system(6:28PM 23 Jan 2009) to Ca root certificate validity time after > client hello process. > > Validity > Not Before: Aug 1 00:00:00 1996 GMT > Not After : Dec 31 23:59:59 2020 GMT > If in our application code I don't want to validate with system Time > To validity period of time(Not Before and Not After). > I want to validate to signature of the server certificate. > Can I validate to signature of server certificate. > Please reply me. > Thank you. > > Regards, > > --Ajeet Kumar Singh > > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ger Hobbelt > Sent: Friday, January 23, 2009 5:04 PM > To: openssl-users@openssl.org > Subject: Re: How to check Server certificate and signature? > > I'm not sure what you're trying to ask/say here, but have you looked > into the OPENSSL verify callbacks? > > ( http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html ) > > > > On Fri, Jan 23, 2009 at 12:11 PM, Ajeet kumar.S > <ajeetkuma...@jasmin-infotech.com> wrote: >> Dear All, >> >> I have one doubt how to check the signature. And I saw server is sending > the >> server certificate, can we check this certificate or what is use of >> this(certificate come from server side) certificate. >> >> In peer verification, at client side checking the system time, which is >> lying in the range of time given in CA certificate. If we will give wrong >> time(which is lying in between range of time in CA certificate ) instead > of >> current time of system then also it is working. So I have doubt can we >> remove this issue or it will check server time also. >> >> Please tell me. >> >> >> >> >> >> Thank you. >> >> Regards, >> >> --Ajeet Kumar Singh >> >> >> >> >> >> > > > > -- > Met vriendelijke groeten / Best regards, > > Ger Hobbelt > > -------------------------------------------------- > web: http://www.hobbelt.com/ > http://www.hebbut.net/ > mail: g...@hobbelt.com > mobile: +31-6-11 120 978 > -------------------------------------------------- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > > -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
