aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/gtls.c42
1 files changed, 23 insertions, 19 deletions
diff --git a/lib/gtls.c b/lib/gtls.c
index 4152ded26..c7c38642f 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -225,7 +225,7 @@ Curl_gtls_connect(struct connectdata *conn,
size_t size;
unsigned int algo;
unsigned int bits;
- time_t clock;
+ time_t certclock;
const char *ptr;
void *ssl_sessionid;
size_t ssl_idsize;
@@ -344,6 +344,10 @@ Curl_gtls_connect(struct connectdata *conn,
}
if(data->set.ssl.verifypeer) {
+
+ gnutls_certificate_set_verify_limits(conn->ssl[sockindex].cred,
+ 40200, 38);
+
/* This function will try to verify the peer's certificate and return its
status (trusted, invalid etc.). The value of status should be one or
more of the gnutls_certificate_status_t enumerated elements bitwise
@@ -413,14 +417,14 @@ Curl_gtls_connect(struct connectdata *conn,
infof(data, "\t common name: %s (matched)\n", certbuf);
/* Check for time-based validity */
- clock = gnutls_x509_crt_get_expiration_time(x509_cert);
+ certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
- if(clock == (time_t)-1) {
+ if(certclock == (time_t)-1) {
failf(data, "server cert expiration date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
- if(clock < time(NULL)) {
+ if(certclock < time(NULL)) {
if(data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed.");
return CURLE_PEER_FAILED_VERIFICATION;
@@ -431,14 +435,14 @@ Curl_gtls_connect(struct connectdata *conn,
else
infof(data, "\t server certificate expiration date OK\n");
- clock = gnutls_x509_crt_get_activation_time(x509_cert);
+ certclock = gnutls_x509_crt_get_activation_time(x509_cert);
- if(clock == (time_t)-1) {
+ if(certclock == (time_t)-1) {
failf(data, "server cert activation date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
- if(clock > time(NULL)) {
+ if(certclock > time(NULL)) {
if(data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet.");
return CURLE_PEER_FAILED_VERIFICATION;
@@ -474,11 +478,11 @@ Curl_gtls_connect(struct connectdata *conn,
gnutls_x509_crt_get_dn(x509_cert, certbuf, &size);
infof(data, "\t subject: %s\n", certbuf);
- clock = gnutls_x509_crt_get_activation_time(x509_cert);
- showtime(data, "start date", clock);
+ certclock = gnutls_x509_crt_get_activation_time(x509_cert);
+ showtime(data, "start date", certclock);
- clock = gnutls_x509_crt_get_expiration_time(x509_cert);
- showtime(data, "expire date", clock);
+ certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
+ showtime(data, "expire date", certclock);
size = sizeof(certbuf);
gnutls_x509_crt_get_issuer_dn(x509_cert, certbuf, &size);
@@ -543,16 +547,16 @@ void Curl_gtls_close_all(struct SessionHandle *data)
}
static void close_one(struct connectdata *conn,
- int index)
+ int idx)
{
- if(conn->ssl[index].session) {
- gnutls_bye(conn->ssl[index].session, GNUTLS_SHUT_RDWR);
- gnutls_deinit(conn->ssl[index].session);
- conn->ssl[index].session = NULL;
+ if(conn->ssl[idx].session) {
+ gnutls_bye(conn->ssl[idx].session, GNUTLS_SHUT_RDWR);
+ gnutls_deinit(conn->ssl[idx].session);
+ conn->ssl[idx].session = NULL;
}
- if(conn->ssl[index].cred) {
- gnutls_certificate_free_credentials(conn->ssl[index].cred);
- conn->ssl[index].cred = NULL;
+ if(conn->ssl[idx].cred) {
+ gnutls_certificate_free_credentials(conn->ssl[idx].cred);
+ conn->ssl[idx].cred = NULL;
}
}