On Thu, 2015-07-30 at 22:08 +0000, Viktor Dukhovni wrote: > > > Obviously I agree, but life's too short to argue about it and I *do* > > have a viable alternative, with a verify_cb function that just ignores > > X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED. > > You have to be careful how you do that. The final error in the > X509_STORE_CTX is the *last* error reported, and other errors > may also have been detected earlier. > > If your callback always returns the "ok" input except for the two > above errors, you're fine. But if returns "1" in additional cases, > and then in the end you look at the store error status, you may be > in trouble. That's in issue in applications that don't immediately > terminate the handshake on authentication errors, and disconnect > more gracefully at the application layer when authentication fails.
Thanks for the warning. I don't believe we're looking at the store error status at all; we only care about the return value from X509_verify_cert() — either directly, or when PKCS7_verify() calls it. (There's no SSL here; only crypto. It's for verifying certificate chains and checking signatures on boot images). So I think it's fine. -- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
