On Mon, Mar 14, 2022 at 11:25:51AM -0700, Edward Tsang via openssl-users wrote: > https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html > > I am trying to figure out how this example works but it does not seem to > bypass the (use the second example of X509_V_ERR_CERT_HAS_EXPIRED) > > However the caller code > long res = SSL_get_verify_result( sslCtx ); still reports res NOT as > X509_V_OK, which it should be oper the example since it is returning as 1. This is correct and expected. Returning "ok = 1" from the verify callback allows the handshake to continue, rather than be aborted, but it does not and should not mark the certificate as verified. > I don't think I need to use X509_STORE_CTX_set_error(ctx, X509_V_OK); > before return 1 in the X509_STORE_CTX_verify_cb example. > Or am I missing something? You're missing something. It is best to not suppress the error code, since this will also mean that resumed sessions are unaware of the error, ... Rather if you want to tolerate expired certificates record and admit that error both in the callback and after the handshake. -- Viktor.