Make OpenSSL accept expired certificates

Question

I\'m digging through the source code, trying to find a way to get OpenSSL to always accept expired certificates. I can\'t find the link between the expired errors/alarms and the

Answer 1

How I solved it:

The time checks for certificates are in ssl/x509_vfy.c:

static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
    time_t *ptime;
    int i;

    .
    .
    .

    i = X509_cmp_time(X509_get_notAfter(x), ptime);
    .
    .
    .

    if (i < 0) {
        return 1;
        /* Allow expired certificates!
         *
         * ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
         * ctx->current_cert = x;
         * if (!ctx->verify_cb(0, ctx))
         *   return 0;
         */
    }

    return 1;
}

I just commented out part where is sets the expiration error. Not the best way to do it, I would suggest using jww's answer instead. I just thought I should document the solution I used.

This solution means that openssl can't detect any expired certs, even if set_verify_cb changes the callback.