On Mon, Aug 26, 2019 at 02:39:40PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > > To ignore expiration of only the leaf certificate, you > > need a verification callback that checks the error > > reason at depth 0 and if it is expiration, returns > > "ok = 1" anyway. > > Is there a potential problem - if a certificate has multiple issues, such > as bad signature and certificate expired? Would all of these conditions > be reported, or only the first one detected? The verification callback is called separately for each error condition (and at least once on success if no errors are seen). It is therefore possible to ignore *just* the expiration of a particular chain element without ignoring other errors. -- Viktor.
