> On Dec 18, 2019, at 11:10 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote: > > the short answer is no, it does not; the openssl library will let you load expired/invalid certificates if you do not do any explicit checks. Use a verify_callback and call X509_verify_cert() to check the validity. The verify callback is not needed, unless one wants to log the chain or allow some subset of errors. What is needed is an appropriate CAfile and/or CApath or an explicitly specified trust-anchor stack (X509_STORE_CTX_set0_trusted()), and of course X509_STORE_CTX_new(), X509_STORE_CTX_init() and perhaps X509_STORE_CTX_free() unless the the object is reused for the lifetime of the process. -- Viktor.
