gnutls: ignore invalid certificate dates with VERIFYPEER disabled
This makes the behaviour consistent with what happens if a date can be extracted from the certificate but is expired.
This commit is contained in:
Dan Fandrich
parent
f9b80cded7
commit
baf8b57b1d
@ -38,6 +38,7 @@ This release includes the following bugfixes:
|
||||
o nss: make the fallback to SSLv3 work again
|
||||
o tool: prevent valgrind from reporting possibly lost memory (nss only)
|
||||
o nss: fix a memory leak when CURLOPT_CRLFILE is used
|
||||
o gnutls: ignore invalid certificate dates with VERIFYPEER disabled
|
||||
o
|
||||
|
||||
This release includes the following known bugs:
|
||||
|
||||
@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
|
||||
|
||||
if(certclock == (time_t)-1) {
|
||||
failf(data, "server cert expiration date verify failed");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
if(certclock < time(NULL)) {
|
||||
if(data->set.ssl.verifypeer) {
|
||||
failf(data, "server certificate expiration date has passed.");
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
failf(data, "server cert expiration date verify failed");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate expiration date FAILED\n");
|
||||
infof(data, "\t server certificate expiration date verify FAILED\n");
|
||||
}
|
||||
else {
|
||||
if(certclock < time(NULL)) {
|
||||
if(data->set.ssl.verifypeer) {
|
||||
failf(data, "server certificate expiration date has passed.");
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate expiration date FAILED\n");
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate expiration date OK\n");
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate expiration date OK\n");
|
||||
|
||||
certclock = gnutls_x509_crt_get_activation_time(x509_cert);
|
||||
|
||||
if(certclock == (time_t)-1) {
|
||||
failf(data, "server cert activation date verify failed");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
if(certclock > time(NULL)) {
|
||||
if(data->set.ssl.verifypeer) {
|
||||
failf(data, "server certificate not activated yet.");
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
failf(data, "server cert activation date verify failed");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate activation date FAILED\n");
|
||||
infof(data, "\t server certificate activation date verify FAILED\n");
|
||||
}
|
||||
else {
|
||||
if(certclock > time(NULL)) {
|
||||
if(data->set.ssl.verifypeer) {
|
||||
failf(data, "server certificate not activated yet.");
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate activation date FAILED\n");
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate activation date OK\n");
|
||||
}
|
||||
else
|
||||
infof(data, "\t server certificate activation date OK\n");
|
||||
|
||||
/* Show:
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user