From 40d37e210508f375336a5f616f4d07e8e14e1eb5 Mon Sep 17 00:00:00 2001
From: Namowen <namowen@user.github.invalid.com>
Date: Sat, 18 Feb 2017 07:51:27 +0800
Subject: [PATCH] client: fix X509_V_ERR_CERT_HAS_EXPIRED

---
 lib/private-libwebsockets.h |  2 +-
 lib/ssl-client.c            | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h
index 00415578..1f365ebb 100644
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@@ -1490,7 +1490,7 @@ struct lws {
 	unsigned int extension_data_pending:1;
 #endif
 #ifdef LWS_OPENSSL_SUPPORT
-	unsigned int use_ssl:3;
+	unsigned int use_ssl:4;
 #endif
 #ifdef _WIN32
 	unsigned int sock_send_blocking:1;
diff --git a/lib/ssl-client.c b/lib/ssl-client.c
index b8154aa2..9c1a5b98 100644
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@@ -54,7 +54,16 @@ OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 			if ((err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
 					err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) &&
 					wsi->use_ssl & LCCSCF_ALLOW_SELFSIGNED) {
-				lwsl_notice("accepting self-signed certificate\n");
+				lwsl_notice("accepting self-signed certificate (verify_callback)\n");
+				X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
+				return 1;	// ok
+			} else if ((err == X509_V_ERR_CERT_NOT_YET_VALID ||
+					err == X509_V_ERR_CERT_HAS_EXPIRED) &&
+					wsi->use_ssl & LCCSCF_ALLOW_EXPIRED) {
+				if (err == X509_V_ERR_CERT_NOT_YET_VALID)
+					lwsl_notice("accepting not yet valid certificate (verify_callback)\n");
+				else if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+					lwsl_notice("accepting expired certificate (verify_callback)\n");
 				X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
 				return 1;	// ok
 			}
@@ -138,8 +147,13 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	}
 
 #endif
+
+#ifndef USE_WOLFSSL
+#ifndef USE_OLD_CYASSL
 	/* OpenSSL_client_verify_callback will be called @ SSL_connect() */
 	SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
+#endif
+#endif
 
 #ifndef USE_WOLFSSL
 	SSL_set_mode(wsi->ssl,  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);