Hi Nou Please help me understand more about this subject ( I am new to Openssl)
1. What happen if the peer presents an expired certificate and we do not implement callback using SSL_CTX_set_verify with SSL_VERIFY_PEER flag set, will the SSL_connect or SSL_accept fail ??? 2. What is the function of verification callback ? Just "report" error of expired certificate or actually let expired certificate be accepted ?? what is X509_.. function shoud I uses to let expired cert being accept ?? 3. what is the different between standard verify operation and the verify callback ??? Thank You Thao Dinh -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Nou Dadoun Sent: Tuesday, April 10, 2012 3:15 PM To: openssl-users@openssl.org Subject: RE: expired ssl certificate You can use a verification callback to look at the certificate after the standard verify operation has been performed to decide whether or not to allow the certificate anyway. Look at the O'Reilly book (http://doc.hackbbs.org/Reseaux/O_Reilly_-_Network_Security_with_OpenSSL.pdf ) page 132 or so has some sample code you can probably modify. Standard warnings apply .. N --- Nou Dadoun ndad...@teradici.com 604-628-1215 ________________________________ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Srihari, Gautam Sent: April 10, 2012 3:04 AM To: openssl-...@openssl.org; openssl-users@openssl.org Subject: expired ssl certificate Hi, I have a server application and the client uses https to connect to the server. For this I had created an openssl self signed certificate cacert.pem which has been distributed to all the client applications. Now unfortunately the certificate has expired. I can create a new certificate. But distributing to all the clients is going to be difficult. Is there some way by using open ssl, I can make the server ignore expired certificates so I don't have to ask each client to update to a new certificate? The crux of the problem is that I want to continue to allow clients to use the server without Having them to upgrade anything i.e change should be done only on the server side. Reg., Gautam
smime.p7s
Description: S/MIME cryptographic signature
