I'm no ssl guru either but I'll make some brief comments and let others jump in
if I'm too far off the mark.
1. If you use the standard verify and the peer presents an expired
certificate, the certificate will not be verified and the connection will fail.
2. The verification callback is called after the "regular" verification is
performed, here's a simple example I posted with my own question yesterday:
static int verify_callback(int ok, X509_STORE_CTX *stor)
{
if(!ok)
{
printf("verify_callback Certificate Verification Error: %s\n",
X509_verify_cert_error_string(stor->error));
}
else
{
printf("verify_callback Certificate Verification Success\n");
}
return ok;
}
The ok parameter tells you whether the certificate passed so that if it's not
ok (didn't pass) you can examine the reason/error and the certificate itself to
see whether or not you want to over-rule that result. The return value
indicates whether you want to accept it or not - the above example only reports
the result (without changing it) and (if it fails) the reason for failure
without changing anything. If it's not ok and you look at the cert and it's
expired but you don't care, return 1 and it will be accepted. Look at the
examples in the pdf for some examples.
As I said earlier, standard warnings apply - you're overruling standard
security mechanisms for your own purposes which can be dangerous if you're not
careful.
3. I think I've answered that above .... N
---
Nou Dadoun
[email protected]
604-628-1215
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Dinh, Thao V CIV NSWCDD, K72
Sent: April 11, 2012 4:19 AM
To: [email protected]
Subject: RE: expired ssl certificate
Hi Nou
Please help me understand more about this subject ( I am new to Openssl)
1. What happen if the peer presents an expired certificate and we do not
implement callback using SSL_CTX_set_verify with SSL_VERIFY_PEER flag set, will
the SSL_connect or SSL_accept fail ???
2. What is the function of verification callback ? Just "report" error of
expired certificate or actually let expired certificate be accepted ?? what is
X509_.. function shoud I uses to let expired cert being accept ??
3. what is the different between standard verify operation and the verify
callback ???
Thank You
Thao Dinh
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Nou Dadoun
Sent: Tuesday, April 10, 2012 3:15 PM
To: [email protected]
Subject: RE: expired ssl certificate
You can use a verification callback to look at the certificate after the
standard verify operation has been performed to decide whether or not to allow
the certificate anyway.
Look at the O'Reilly book
(http://doc.hackbbs.org/Reseaux/O_Reilly_-_Network_Security_with_OpenSSL.pdf )
page 132 or so has some sample code you can probably modify.
Standard warnings apply .. N
---
Nou Dadoun
[email protected]
604-628-1215
________________________________
From: [email protected] [mailto:[email protected]]
On Behalf Of Srihari, Gautam
Sent: April 10, 2012 3:04 AM
To: [email protected]; [email protected]
Subject: expired ssl certificate
Hi,
I have a server application and the client uses https to connect
to the server. For this I had created an openssl self signed certificate
cacert.pem which has been distributed to all the client applications.
Now unfortunately the certificate has expired. I can create a new
certificate.
But distributing to all the clients is going to be difficult.
Is there some way by using open ssl, I can make the server ignore expired
certificates
so I don't have to ask each client to update to a new certificate?
The crux of the problem is that I want to continue to allow clients to use the
server without
Having them to upgrade anything i.e change should be done only on the server
side.
Reg.,
Gautam
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
