Is there a potential problem - if a certificate has multiple issues, such as bad signature and certificate expired? Would all of these conditions be reported, or only the first one detected? Regards, Uri Sent from my iPhone On Aug 26, 2019, at 10:11, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: >> On Aug 26, 2019, at 5:24 AM, forston_shi@xxxxxxxxxxxxxx wrote: >> >> We check a sub-certificate with a lot of root certificates. >> We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired. >> >> I try to verify it by following option, >> X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx); >> X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME); >> >> iret = X509_verify_cert(xstore_ctx); >> >> But it also will ignore root certificate’s expire. >> >> So, can you give me some suggestion for my question. > > To ignore expiration of only the leaf certificate, you > need a verification callback that checks the error > reason at depth 0 and if it is expiration, returns > "ok = 1" anyway. > > -- > Viktor. >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature