Hi, I see that the openSSL certificate verify utility uses the X509_verify_cert() in x509_vfy.c for certificate validation. Based on the manual pages for verify, I understand that the order for verification is as follows:
1. Firstly a certificate chain is built up starting from the supplied certificate and ending in the root CA. 2. The second operation is to check every untrusted certificate's extensions for consistency with the supplied purpose. 3. The third operation is to check the trust settings on the root CA. 4. The final operation is to check the validity of the certificate chain. The validity period is checked against the current system time and the notBefore and notAfter dates in the certificate. The certificate signatures are also checked at this point. What would be the best way to make the time check optional? One way as seen from the code could be to make this call optional based on some environmental variable. Eg: if(TIME_CHECK_ON) check_cert_time(ctx, xs); else don't check time; Is there any alternative way to achieve this? I understand that by passing a custom time using void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t); and by setting this flag -->X509_V_FLAG_USE_CHECK_TIME, I can make the verify code use the time I provide, but whatever time I provide through the time_t variable, will it be used as notBefore or notAfter time? (since time_t t represents the number of seconds since the start of the Unix epoch). I would need this optional time checking since I cannot count on my system time to be stable all the time :) Regds, Ashok