TLS handshake certificate validation options

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS handshake certificate validation options

Tong
Dear openssl-users:

We have some old certificates that have ill-formed value for the subjectAltName extension, causing the TLS handshake to fail.

Are there any options that can be configured to by-pass the parsing of the subjectAltName extension (or all the x509v3 extensions) during TLS handshake, without disabling the certificate validation all together?

Thanks for any suggestions.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS handshake certificate validation options

Thulasi Goriparthi
Hello,

You can register a verify callback function using
X509_STORE_set_verify_cb() and X509_verify_cert() will call this
function, which can be used to by-pass targeted errors like
X509_V_ERR_INVALID_PURPOSE etc.

Check callb function from apps/x509.c


Thanks,
Thulasi.


On 16 July 2018 at 20:48, Tong <[hidden email]> wrote:

> Dear openssl-users:
>
> We have some old certificates that have ill-formed value for the
> subjectAltName extension, causing the TLS handshake to fail.
>
> Are there any options that can be configured to by-pass the parsing of the
> subjectAltName extension (or all the x509v3 extensions) during TLS
> handshake, without disabling the certificate validation all together?
>
> Thanks for any suggestions.
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users