Andy Chan wrote:
>
> I am using SSL_get_verify_result() to check the verification
> result. In addition to the normal checks, I want to do the followings:
>
>
>
> 1) I want to accept certificates even if it’s expired. However,
> I can’t simply ignore the errors *X509_V_ERR_CERT_NOT_YET_VALID *and
> *X509_V_ERR_CERT_HAS_EXPIRED* because SSL_get_verify_result() only
> returns the last error, so there could be other errors before this one
> but got hidden. Is there any way to accomplish this?
>
>
>
> 2) I also want to verify the common name against the server
> name. SSL_get_verify_result() doesn’t seem to have an error code for
> this. I think I can just get the server certificate and verify it
> myself, but I wonder is there a better way to do it using OpenSSL
> primitives.
>
>
>
> I would appreciate any assistance I can get on this. Thank you very
> much.
>
The best way to implement your modifications is in the verify_callback
function. It is called for every single error found (so you can ignore
specific verification errors selectively).
Checking the name(s) in the certificate against the expected name is to
be performed by the application. OpenSSL does not provide an API for
this check.
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
