Hi,
I had almost the same requirement and eventually achieved it by patching my
openssl package's x509_verify code to do the check_cert_time() method
optionally depending on some conditions. Ideally I feel openSSL should
provide a validation flag like
*X509_V_FLAG_IGNORE_LIFETIME **which would hel
Reading Nou's proposal, I have the impression that the client needs to be
modified to accept expired server's certificate. Is my understanding
correct? If my understanding is corrrect, the client needs to be updated.
If the client needs to be updated, In my opinion, it is simpler to update
the cl
Thanks for the note, seems like it's even more fundamental than that because
the unit test not only doesn't establish an ssl connection, it doesn't even use
an ssl context! As a certificate unit test, it's *only* testing our various
certificate deployment scenarios to make sure that we retrieve
I'm no ssl guru either but I'll make some brief comments and let others jump in
if I'm too far off the mark.
1. If you use the standard verify and the peer presents an expired
certificate, the certificate will not be verified and the connection will fail.
2. The verification callback is calle
Thanks, Dave, for your reply. Very helpful.
> If this server is getting connections from the client above,
> and that client mistakenly handles WANT_READ by closing or
> even exiting/aborting, the server gets either TCP abort or
> unexpected TCP shutdown (aka EOF), which causes this error.
Err
Hi Nou
Please help me understand more about this subject ( I am new to Openssl)
1. What happen if the peer presents an expired certificate and we do not
implement callback using SSL_CTX_set_verify with SSL_VERIFY_PEER flag set, will
the SSL_connect or SSL_accept fail ???
2. What is the function
On a disconnect check the state of the SSL data structure and call
SSL_free if it is not null.
if (*sslptr != NULL) {
SSL_free (*sslptr);
*sslptr = NULL;
}
Though as you say it is a certificate issue, then perhaps you need to
look at
SSL_CTX_free(*sslctxptr)
Look at the man page for this
Thanks Dave could you please elaborate below lines too
$(OPENSSL) req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
-config root.cnf
$(OPENSSL) x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions
certificate_extensions -signkey rootkey.pem -out rootcert.pem
$(CAT) rootcert
