aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
authorDan Fandrich <dan@coneharvesters.com>2014-07-11 23:21:31 +0200
committerDan Fandrich <dan@coneharvesters.com>2014-07-11 23:21:31 +0200
commitbaf8b57b1d174748d5e01ac67a70f7f96c946637 (patch)
treec1d446af0a3f2fbfe3872d7031a1380542d315d1 /lib/vtls
parentf9b80cded7e781b303978b259d4219b7058815af (diff)
gnutls: ignore invalid certificate dates with VERIFYPEER disabled
This makes the behaviour consistent with what happens if a date can be extracted from the certificate but is expired.
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/gtls.c50
1 files changed, 30 insertions, 20 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index f77ce66c6..7f920b27a 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn,
certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
if(certclock == (time_t)-1) {
- failf(data, "server cert expiration date verify failed");
- return CURLE_SSL_CONNECT_ERROR;
- }
-
- if(certclock < time(NULL)) {
if(data->set.ssl.verifypeer) {
- failf(data, "server certificate expiration date has passed.");
- return CURLE_PEER_FAILED_VERIFICATION;
+ failf(data, "server cert expiration date verify failed");
+ return CURLE_SSL_CONNECT_ERROR;
}
else
- infof(data, "\t server certificate expiration date FAILED\n");
+ infof(data, "\t server certificate expiration date verify FAILED\n");
+ }
+ else {
+ if(certclock < time(NULL)) {
+ if(data->set.ssl.verifypeer) {
+ failf(data, "server certificate expiration date has passed.");
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ else
+ infof(data, "\t server certificate expiration date FAILED\n");
+ }
+ else
+ infof(data, "\t server certificate expiration date OK\n");
}
- else
- infof(data, "\t server certificate expiration date OK\n");
certclock = gnutls_x509_crt_get_activation_time(x509_cert);
if(certclock == (time_t)-1) {
- failf(data, "server cert activation date verify failed");
- return CURLE_SSL_CONNECT_ERROR;
- }
-
- if(certclock > time(NULL)) {
if(data->set.ssl.verifypeer) {
- failf(data, "server certificate not activated yet.");
- return CURLE_PEER_FAILED_VERIFICATION;
+ failf(data, "server cert activation date verify failed");
+ return CURLE_SSL_CONNECT_ERROR;
}
else
- infof(data, "\t server certificate activation date FAILED\n");
+ infof(data, "\t server certificate activation date verify FAILED\n");
+ }
+ else {
+ if(certclock > time(NULL)) {
+ if(data->set.ssl.verifypeer) {
+ failf(data, "server certificate not activated yet.");
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ else
+ infof(data, "\t server certificate activation date FAILED\n");
+ }
+ else
+ infof(data, "\t server certificate activation date OK\n");
}
- else
- infof(data, "\t server certificate activation date OK\n");
/* Show: