Added flag to allow expired certificates.

2016-11-11 12:19:53 +01:00 · 2016-11-11 12:19:53 +01:00 · b3160f9fd0
commit b3160f9fd0
parent d2cef1515e
2 changed files with 6 additions and 1 deletions
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@ -1983,7 +1983,8 @@ struct lws_http_mount {
 enum lws_client_connect_ssl_connection_flags {
 	LCCSCF_USE_SSL 				= (1 << 0),
 	LCCSCF_ALLOW_SELFSIGNED			= (1 << 1),
-	LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK	= (1 << 2)
+	LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK	= (1 << 2),
+	LCCSCF_ALLOW_EXPIRED			= (1 << 3)
 };

 /** struct lws_client_connect_info - parameters to connect with when using
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@ -296,6 +296,10 @@ lws_ssl_client_connect2(struct lws *wsi)
 		     n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) &&
 		     wsi->use_ssl & LCCSCF_ALLOW_SELFSIGNED) {
 			lwsl_notice("accepting self-signed certificate\n");
+		} else if ((n == X509_V_ERR_CERT_NOT_YET_VALID ||
+		            n == X509_V_ERR_CERT_HAS_EXPIRED) &&
+		     wsi->use_ssl & LCCSCF_ALLOW_EXPIRED) {
+			lwsl_notice("accepting expired certificate\n");
 		} else {
 			lwsl_err("server's cert didn't look good, X509_V_ERR = %d: %s\n",
 				 n, ERR_error_string(n, sb));