Don't use expired certificates if possible.

When looking for the issuer of a certificate, if current candidate is expired, continue looking. Only return an expired certificate if no valid certificates are found. PR#3359
author: Dr. Stephen Henson <steve@openssl.org> 2014-05-24 23:55:19 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2014-05-25 04:50:15 +0100
commit: 0930251df814f3993bf2c598761e0c7c6d0d62a2 (patch)
tree: f3e1c9cfaf47569bf8d767b911684b6d175f77af /crypto/x509/x509_lcl.h
parent: 6c21b860ba8f0de64c6e96972ef3c728728d01a0 (diff)
download: openssl-0930251df814f3993bf2c598761e0c7c6d0d62a2.zip
openssl-0930251df814f3993bf2c598761e0c7c6d0d62a2.tar.gz
openssl-0930251df814f3993bf2c598761e0c7c6d0d62a2.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h
index 55c7915..f994cb9 100644
--- a/crypto/x509/x509_lcl.h
+++ b/crypto/x509/x509_lcl.h
@@ -68,3 +68,5 @@ struct X509_VERIFY_PARAM_ID_st
 	unsigned char *ip;	/* If not NULL IP address to match */
 	size_t iplen;		/* Length of IP address */
 	};
+
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
author	Dr. Stephen Henson <steve@openssl.org>	2014-05-24 23:55:19 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2014-05-25 04:50:15 +0100
commit	0930251df814f3993bf2c598761e0c7c6d0d62a2 (patch)
tree	f3e1c9cfaf47569bf8d767b911684b6d175f77af /crypto/x509/x509_lcl.h
parent	6c21b860ba8f0de64c6e96972ef3c728728d01a0 (diff)
download	openssl-0930251df814f3993bf2c598761e0c7c6d0d62a2.zip openssl-0930251df814f3993bf2c598761e0c7c6d0d62a2.tar.gz openssl-0930251df814f3993bf2c598761e0c7c6d0d62a2.tar.bz2