Calling
X509_STORE_CTX_set_error(ctx, X509_V_OK);
Is actually what I'm doing already but I was worried that it would then ignore
any other errors (e.g. bad signature etc.); I'd actually thought the errors
might be ORed together but that doesn't look like the case.
So does it invoke the callback for each error (which is sort of a convoluted
way of ORing)?
If I say ok to EXPIRED will it catch a bad signature?
Thanks for your help ... N
Nou Dadoun
-----Original Message-----
From: openssl-users [mailto:[email protected]] On Behalf Of
Viktor Dukhovni
Sent: Thursday, December 03, 2015 7:00 AM
To: [email protected]
Subject: Re: [openssl-users] Verify callback to ignore certificate expiry
On Thu, Dec 03, 2015 at 06:01:36AM +0000, Nou Dadoun wrote:
> Another quick question, I'm setting up a server ssl handshake on a device on
> which the certificate verification will sometimes fail not because the
> certificate is bad but because the time is not set properly on the device.
>
> I'm doing an ssl verify callback that is almost identical to one of
> the examples in
> https://www.openssl.org/docs/manmaster/crypto/X509_STORE_CTX_set_verif
> y_cb.html
> I.e.
>
> int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
> int err = X509_STORE_CTX_get_error(ctx);
> X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
> if (err == X509_V_ERR_CERT_HAS_EXPIRED)
> {
> if (check_is_acceptable_expired_cert(err_cert)
> return 1;
> }
> return ok;
> }
>
> I have some other slight differences but basically what I need is an
> implementation for the (fictitious)
> "check_is_acceptable_expired_cert(err_cert)" function call.
>
> Is there any quick way of doing this that doesn't involve completely
> reconstructing the steps for verification (and leaving one out)? I
> can do that if I need to but this is only one part of a larger
> endeavour that will take much more time - any pointers? thanks .... N
The required function is mostly a NOOP, after you return 1, OpenSSL will
continue to perform all the other checks it would do had the certificate not
been expired.
However, you probably want the verification result to be OK at the completion
of the handshake (have SSL_get_verify_result() return X509_V_OK). So all that
the code needs to do is to set the error status to X509_V_OK.
X509_STORE_CTX_set_error(ctx, X509_V_OK);
Provided you return 0 (abort the handshake on any errors you're not explicitly
ignoring, you're OK.
If you ever decide to continue handshakes despite other errors, then more care
is required to restore any previous error status (which you'll need to store
somewhere) when ignoring the errors you want to suppress.
--
Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
