Make OpenSSL accept expired certificates

Question

I\'m digging through the source code, trying to find a way to get OpenSSL to always accept expired certificates. I can\'t find the link between the expired errors/alarms and the

Answer 1

Make OpenSSL accept expired certificates...

In your verification callback function, you should accept both X509_V_OK and X509_V_ERR_CERT_HAS_EXPIRED. Maybe something like:

int verify_callback(int preverify, X509_STORE_CTX* x509_ctx)
{
    /* For error codes, see http://www.openssl.org/docs/apps/verify.html  */
    int err = X509_STORE_CTX_get_error(x509_ctx);

    if(preverify == 0)
    {
        if(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
            fprintf(stdout, "  Error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\n");
        else if(err == X509_V_ERR_CERT_UNTRUSTED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_UNTRUSTED\n");
        else if(err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
            fprintf(stdout, "  Error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\n");
        else if(err == X509_V_ERR_CERT_NOT_YET_VALID)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_NOT_YET_VALID\n");
        else if(err == X509_V_ERR_CERT_HAS_EXPIRED)
            fprintf(stdout, "  Error = X509_V_ERR_CERT_HAS_EXPIRED\n");
        else if(err == X509_V_OK)
            fprintf(stdout, "  Error = X509_V_OK\n");
        else
            fprintf(stdout, "  Error = %d\n", err);
    }

    if (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED)
        return 1;

    return preverify;
}

Another problem with older mobile and IoT gadgets are lack of clocks and/or aux power. You may need to allow X509_V_ERR_CERT_NOT_YET_VALID too. You will observe this for a device that powers on and thinks its in the 1990s or 2000s. Older phones without a SIM experience this all the time. I've also observed it in modern [low end] Android phones.