In many cases, errors about no longer valid certificates (expired, revoked, bad signature etc.) are checked only by the other end, so the *client* would show errors about a bad server cert and the server would show errors about bad client certs.
While some server applications may contain extra code to check their own certificate before using it, not all do. In your own server code, you can check the servers own certificate by explicitly verifying it with X509 functions before using it with the SSL functions, thus not relying on the SSL code checking that the certificates you give it are valid. Look at the sample source code for the "openssl verify" command for examples of how this can be done (You obviously won't have to load the certificate an extra time as you are loading it anyway, and you need to check it against the root certificate in your own server certificate chain, not the collection of root certificates you trust for client certificates). On 4/30/2012 7:04 AM, 谷口康規 wrote:
Hi. Help me please. I'm beginner. I'm tring to print message of expiration of server certificate on the side of SSL server.(server authentication) But, I can't find how to get the alert from error code. I think SSL_AD_CERTIFICATE_EXPIRED or SSL3_AD_CERTIFICATE_EXPIRED is the error code. However, the above code is only found in error-verification-function(?) (ssl_verify_alarm_type() and so on). In addition, when expiration of certificate happen ? During SSL_accept, SSL_read and so on, Does it ?
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
