generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gnutls: ignore invalid certificate dates with VERIFYPEER disabled

Browse Source 
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
This commit is contained in:
Dan Fandrich 2014-07-11 23:21:31 +02:00
parent f9b80cded7
commit baf8b57b1d
2 changed files with 31 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
RELEASE-NOTES
View File

@ -38,6 +38,7 @@ This release includes the following bugfixes:
o nss: make the fallback to SSLv3 work again o nss: make the fallback to SSLv3 work again
o tool: prevent valgrind from reporting possibly lost memory (nss only) o tool: prevent valgrind from reporting possibly lost memory (nss only)
o nss: fix a memory leak when CURLOPT_CRLFILE is used o nss: fix a memory leak when CURLOPT_CRLFILE is used
o gnutls: ignore invalid certificate dates with VERIFYPEER disabled
o o
This release includes the following known bugs: This release includes the following known bugs:

50
lib/vtls/gtls.c
View File

@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn,
certclock = gnutls_x509_crt_get_expiration_time(x509_cert); certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
if(certclock == (time_t)-1) { if(certclock == (time_t)-1) {
failf(data, "server cert expiration date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
if(certclock < time(NULL)) {
if(data->set.ssl.verifypeer) { if(data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed."); failf(data, "server cert expiration date verify failed");
return CURLE_PEER_FAILED_VERIFICATION; return CURLE_SSL_CONNECT_ERROR;
} }
else else
infof(data, "\t server certificate expiration date FAILED\n"); infof(data, "\t server certificate expiration date verify FAILED\n");
}
else {
if(certclock < time(NULL)) {
if(data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed.");
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate expiration date FAILED\n");
}
else
infof(data, "\t server certificate expiration date OK\n");
} }
else
infof(data, "\t server certificate expiration date OK\n");
certclock = gnutls_x509_crt_get_activation_time(x509_cert); certclock = gnutls_x509_crt_get_activation_time(x509_cert);
if(certclock == (time_t)-1) { if(certclock == (time_t)-1) {
failf(data, "server cert activation date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
if(certclock > time(NULL)) {
if(data->set.ssl.verifypeer) { if(data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet."); failf(data, "server cert activation date verify failed");
return CURLE_PEER_FAILED_VERIFICATION; return CURLE_SSL_CONNECT_ERROR;
} }
else else
infof(data, "\t server certificate activation date FAILED\n"); infof(data, "\t server certificate activation date verify FAILED\n");
}
else {
if(certclock > time(NULL)) {
if(data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet.");
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate activation date FAILED\n");
}
else
infof(data, "\t server certificate activation date OK\n");
} }
else
infof(data, "\t server certificate activation date OK\n");
/* Show: /* Show: