Ger Hobbelt wrote:
Okay, so if I get this right, you're saying you want to verify the
server certificate BUT you do NOT want to check it's activation date /
expiry date (i.e. the time range over which the certificate is valid)?
I'll forego the very bad security implications of such a wish (those
time ranges are there for a reason, after all), you can do such a
thing by providing your own certificate validation callback which does
forego the time checks.
[...]
Anyway, cave canem: from what I read in your request you are treading
dangerous security ground.
This is not an uncommon thing to do. Verifying the time in certificates
is a problem in mobile devices that do not have a trusted source of the
time. If the mobile and network authenticate each other using certs, the
mobile is at a disadvantage if it gets the time from the network.
So instead
1: skip the date check of the date range in the network's cert.
2: connect
3: use the link to consult a trusted time source online
4: re-check the cert now you know time
5: start using the link, assuming the cert validated correctly the
second time.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
