diff options
-rw-r--r-- | RELEASE-NOTES | 1 | ||||
-rw-r--r-- | lib/vtls/gtls.c | 50 |
2 files changed, 31 insertions, 20 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5bdcb3cac..5f3bc0cd3 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -38,6 +38,7 @@ This release includes the following bugfixes: o nss: make the fallback to SSLv3 work again o tool: prevent valgrind from reporting possibly lost memory (nss only) o nss: fix a memory leak when CURLOPT_CRLFILE is used + o gnutls: ignore invalid certificate dates with VERIFYPEER disabled o This release includes the following known bugs: diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index f77ce66c6..7f920b27a 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn, certclock = gnutls_x509_crt_get_expiration_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert expiration date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock < time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate expiration date has passed."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert expiration date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate expiration date FAILED\n"); + infof(data, "\t server certificate expiration date verify FAILED\n"); + } + else { + if(certclock < time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate expiration date has passed."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate expiration date FAILED\n"); + } + else + infof(data, "\t server certificate expiration date OK\n"); } - else - infof(data, "\t server certificate expiration date OK\n"); certclock = gnutls_x509_crt_get_activation_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert activation date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock > time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate not activated yet."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert activation date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate activation date FAILED\n"); + infof(data, "\t server certificate activation date verify FAILED\n"); + } + else { + if(certclock > time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate not activated yet."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate activation date FAILED\n"); + } + else + infof(data, "\t server certificate activation date OK\n"); } - else - infof(data, "\t server certificate activation date OK\n"); /* Show: |