Thanks for your help, I posted the sample (which I guess is a little misleading given that it's taken straight off the OpenSSL page I noted) and not what it currently does which is very close to what you've suggested. So that's one problem I don't have to worry about! Thanks again ... N Nou Dadoun Senior Firmware Developer, Security Specialist Office: 604.629.5182 ext 2632 Support: 888.281.5182 ?|? avigilon.com Follow?Twitter ?|? Follow?LinkedIn This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide. -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Viktor Dukhovni Sent: Thursday, December 03, 2015 9:08 AM To: openssl-users at openssl.org Subject: Re: Verify callback to ignore certificate expiry On Thu, Dec 03, 2015 at 05:00:12PM +0000, Nounou Dadoun wrote: > Calling > X509_STORE_CTX_set_error(ctx, X509_V_OK); Is actually what I'm doing > already but I was worried that it would then ignore any other errors > (e.g. bad signature etc.); No, because is error is reported separately, and you're not setting "ok = 1" for the other errors. > I'd actually thought > the errors might be ORed together but that doesn't look like the case. Each error is reported separately. > So does it invoke the callback for each error (which is sort of a convoluted way of ORing)? Yes, though I don't think of it as "ORing". > If I say ok to EXPIRED will it catch a bad signature? Yes. -- Viktor. _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users