Put an appropriate warning in the apps code for now

author Bob Beck <beck@openssl.org>

Sat, 20 Sep 2025 03:58:44 +0000 (21:58 -0600)

committer Neil Horman <nhorman@openssl.org>

Thu, 16 Oct 2025 13:16:06 +0000 (09:16 -0400)
author Bob Beck <beck@openssl.org>
Sat, 20 Sep 2025 03:58:44 +0000 (21:58 -0600)
committer Neil Horman <nhorman@openssl.org>
Thu, 16 Oct 2025 13:16:06 +0000 (09:16 -0400)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c

index ffb5a07af63cfe9e2aa15ec52e3ab4e0b2a26154..4e3b162ec83ff33c1c0264b2b37cfa41049abc12 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -683,6 +683,12 @@ static void warn_cert(const char *uri, X509 *cert, int warn_EE,
                        X509_VERIFY_PARAM *vpm)
  {
      uint32_t ex_flags = X509_get_extension_flags(cert);
+    /*
+     * This should not be used as as example for how to verify
+     * certificates. This treats an invalid not before or an invalid
+     * not after time in the certificate as infinitely valid, which
+     * you don't want outside of a toy testing function like this.
+     */
      int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
                                   X509_get0_notAfter(cert));
author	Bob Beck <beck@openssl.org>
	Sat, 20 Sep 2025 03:58:44 +0000 (21:58 -0600)
committer	Neil Horman <nhorman@openssl.org>
	Thu, 16 Oct 2025 13:16:06 +0000 (09:16 -0400)