x509_verify_cert and revocation checking

Amar Desai Mon, 26 Jan 2004 10:10:13 -0800

Just for curiosity, why openssl checks revocation status of the certificate before checking whether it has expired or not? E.g. if one certificate in a certificate chain has expired then X509_verify_cert should fail (which it actually does), but before failing it checks the revocation status. I would like to know this is what we wanted or it is an error.

X509_verify_cert
{

ok = ctx->check_revocation(ctx); if(!ok) goto end;

/* At this point, we have a chain and just need to verify it */

   if (ctx->verify != NULL)
       ok=ctx->verify(ctx);
   else
       ok=internal_verify(ctx);

}

Regards,
Amar


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

x509_verify_cert and revocation checking

Reply via email to