From: Bob Beck <beck@openssl.org>
Date: Sat, 20 Sep 2025 03:58:44 +0000 (-0600)
Subject: Put an appropriate warning in the apps code for now
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~364
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48a2d1e448d48533c88d8b4087ce201d8b33e265;p=thirdparty%2Fopenssl.git

Put an appropriate warning in the apps code for now

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28623)
---

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index ffb5a07af63..4e3b162ec83 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -683,6 +683,12 @@ static void warn_cert(const char *uri, X509 *cert, int warn_EE,
                       X509_VERIFY_PARAM *vpm)
 {
     uint32_t ex_flags = X509_get_extension_flags(cert);
+    /*
+     * This should not be used as as example for how to verify
+     * certificates. This treats an invalid not before or an invalid
+     * not after time in the certificate as infinitely valid, which
+     * you don't want outside of a toy testing function like this.
+     */
     int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
                                  X509_get0_notAfter(cert));