generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

7.16.4 preps

Browse Source
This commit is contained in:
Daniel Stenberg 2007-07-10 21:36:30 +00:00
parent f84642197f
commit 4b1782c371
3 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGES
View File

@ -6,6 +6,14 @@
Changelog Changelog
Version 7.16.4 (10 July 2007)
Daniel S (10 July 2007)
- Kees Cook notified us about a security flaw
(http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to
properly reject some outdated or not yet valid server certificates when
built with GnuTLS. Kees also provided the patch.
James H (5 July 2007) James H (5 July 2007)
- Gavrie Philipson provided a patch that will use a more specific error - Gavrie Philipson provided a patch that will use a more specific error
message for an scp:// upload failure. If libssh2 has his matching message for an scp:// upload failure. If libssh2 has his matching

5
RELEASE-NOTES
View File

@ -22,6 +22,9 @@ This release includes the following bugfixes:
o fixed the 10-at-a-time.c example o fixed the 10-at-a-time.c example
o FTP over SOCKS proxy o FTP over SOCKS proxy
o improved error messages on SCP upload failures o improved error messages on SCP upload failures
o security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl
failed to properly reject some outdated or not yet valid server certificates
when built with GnuTLS
This release includes the following known bugs: This release includes the following known bugs:
@ -39,6 +42,6 @@ This release would not have looked like this without help, code, reports and
advice from friends like these: advice from friends like these:
Robert Iakobashvili, James Housley, Günter Knauf, James Bursa, Song Ma, Robert Iakobashvili, James Housley, Günter Knauf, James Bursa, Song Ma,
Thomas J. Moore, Gavrie Philipson Thomas J. Moore, Gavrie Philipson, Kees Cook
Thanks! (and sorry if I forgot to mention someone) Thanks! (and sorry if I forgot to mention someone)

37
lib/gtls.c
View File

@ -420,6 +420,43 @@ Curl_gtls_connect(struct connectdata *conn,
else else
infof(data, "\t common name: %s (matched)\n", certbuf); infof(data, "\t common name: %s (matched)\n", certbuf);
/* Check for time-based validity */
clock = gnutls_x509_crt_get_expiration_time(x509_cert);
if(clock == (time_t)-1) {
failf(data, "server cert expiration date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
if(clock < time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed.");
return CURLE_SSL_PEER_CERTIFICATE;
}
else
infof(data, "\t server certificate expiration date FAILED\n");
}
else
infof(data, "\t server certificate expiration date OK\n");
clock = gnutls_x509_crt_get_activation_time(x509_cert);
if(clock == (time_t)-1) {
failf(data, "server cert activation date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
if(clock > time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet.");
return CURLE_SSL_PEER_CERTIFICATE;
}
else
infof(data, "\t server certificate activation date FAILED\n");
}
else
infof(data, "\t server certificate activation date OK\n");
/* Show: /* Show:
- ciphers used - ciphers used