diff options
-rw-r--r-- | lib/gtls.c | 42 |
1 files changed, 23 insertions, 19 deletions
diff --git a/lib/gtls.c b/lib/gtls.c index 4152ded26..c7c38642f 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -225,7 +225,7 @@ Curl_gtls_connect(struct connectdata *conn, size_t size; unsigned int algo; unsigned int bits; - time_t clock; + time_t certclock; const char *ptr; void *ssl_sessionid; size_t ssl_idsize; @@ -344,6 +344,10 @@ Curl_gtls_connect(struct connectdata *conn, } if(data->set.ssl.verifypeer) { + + gnutls_certificate_set_verify_limits(conn->ssl[sockindex].cred, + 40200, 38); + /* This function will try to verify the peer's certificate and return its status (trusted, invalid etc.). The value of status should be one or more of the gnutls_certificate_status_t enumerated elements bitwise @@ -413,14 +417,14 @@ Curl_gtls_connect(struct connectdata *conn, infof(data, "\t common name: %s (matched)\n", certbuf); /* Check for time-based validity */ - clock = gnutls_x509_crt_get_expiration_time(x509_cert); + certclock = gnutls_x509_crt_get_expiration_time(x509_cert); - if(clock == (time_t)-1) { + if(certclock == (time_t)-1) { failf(data, "server cert expiration date verify failed"); return CURLE_SSL_CONNECT_ERROR; } - if(clock < time(NULL)) { + if(certclock < time(NULL)) { if(data->set.ssl.verifypeer) { failf(data, "server certificate expiration date has passed."); return CURLE_PEER_FAILED_VERIFICATION; @@ -431,14 +435,14 @@ Curl_gtls_connect(struct connectdata *conn, else infof(data, "\t server certificate expiration date OK\n"); - clock = gnutls_x509_crt_get_activation_time(x509_cert); + certclock = gnutls_x509_crt_get_activation_time(x509_cert); - if(clock == (time_t)-1) { + if(certclock == (time_t)-1) { failf(data, "server cert activation date verify failed"); return CURLE_SSL_CONNECT_ERROR; } - if(clock > time(NULL)) { + if(certclock > time(NULL)) { if(data->set.ssl.verifypeer) { failf(data, "server certificate not activated yet."); return CURLE_PEER_FAILED_VERIFICATION; @@ -474,11 +478,11 @@ Curl_gtls_connect(struct connectdata *conn, gnutls_x509_crt_get_dn(x509_cert, certbuf, &size); infof(data, "\t subject: %s\n", certbuf); - clock = gnutls_x509_crt_get_activation_time(x509_cert); - showtime(data, "start date", clock); + certclock = gnutls_x509_crt_get_activation_time(x509_cert); + showtime(data, "start date", certclock); - clock = gnutls_x509_crt_get_expiration_time(x509_cert); - showtime(data, "expire date", clock); + certclock = gnutls_x509_crt_get_expiration_time(x509_cert); + showtime(data, "expire date", certclock); size = sizeof(certbuf); gnutls_x509_crt_get_issuer_dn(x509_cert, certbuf, &size); @@ -543,16 +547,16 @@ void Curl_gtls_close_all(struct SessionHandle *data) } static void close_one(struct connectdata *conn, - int index) + int idx) { - if(conn->ssl[index].session) { - gnutls_bye(conn->ssl[index].session, GNUTLS_SHUT_RDWR); - gnutls_deinit(conn->ssl[index].session); - conn->ssl[index].session = NULL; + if(conn->ssl[idx].session) { + gnutls_bye(conn->ssl[idx].session, GNUTLS_SHUT_RDWR); + gnutls_deinit(conn->ssl[idx].session); + conn->ssl[idx].session = NULL; } - if(conn->ssl[index].cred) { - gnutls_certificate_free_credentials(conn->ssl[index].cred); - conn->ssl[index].cred = NULL; + if(conn->ssl[idx].cred) { + gnutls_certificate_free_credentials(conn->ssl[idx].cred); + conn->ssl[idx].cred = NULL; } } |