diff options
| author | Dan Fandrich <dan@coneharvesters.com> | 2014-07-11 23:21:31 +0200 |
|---|---|---|
| committer | Dan Fandrich <dan@coneharvesters.com> | 2014-07-11 23:21:31 +0200 |
| commit | baf8b57b1d174748d5e01ac67a70f7f96c946637 (patch) | |
| tree | c1d446af0a3f2fbfe3872d7031a1380542d315d1 | |
| parent | f9b80cded7e781b303978b259d4219b7058815af (diff) | |
| download | gnurl-baf8b57b1d174748d5e01ac67a70f7f96c946637.tar.gz gnurl-baf8b57b1d174748d5e01ac67a70f7f96c946637.tar.bz2 gnurl-baf8b57b1d174748d5e01ac67a70f7f96c946637.zip | |
gnutls: ignore invalid certificate dates with VERIFYPEER disabled
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
| -rw-r--r-- | RELEASE-NOTES | 1 | ||||
| -rw-r--r-- | lib/vtls/gtls.c | 50 |
2 files changed, 31 insertions, 20 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5bdcb3cac..5f3bc0cd3 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -38,6 +38,7 @@ This release includes the following bugfixes: o nss: make the fallback to SSLv3 work again o tool: prevent valgrind from reporting possibly lost memory (nss only) o nss: fix a memory leak when CURLOPT_CRLFILE is used + o gnutls: ignore invalid certificate dates with VERIFYPEER disabled o This release includes the following known bugs: diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index f77ce66c6..7f920b27a 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn, certclock = gnutls_x509_crt_get_expiration_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert expiration date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock < time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate expiration date has passed."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert expiration date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate expiration date FAILED\n"); + infof(data, "\t server certificate expiration date verify FAILED\n"); + } + else { + if(certclock < time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate expiration date has passed."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate expiration date FAILED\n"); + } + else + infof(data, "\t server certificate expiration date OK\n"); } - else - infof(data, "\t server certificate expiration date OK\n"); certclock = gnutls_x509_crt_get_activation_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert activation date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock > time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate not activated yet."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert activation date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate activation date FAILED\n"); + infof(data, "\t server certificate activation date verify FAILED\n"); + } + else { + if(certclock > time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate not activated yet."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate activation date FAILED\n"); + } + else + infof(data, "\t server certificate activation date OK\n"); } - else - infof(data, "\t server certificate activation date OK\n"); /* Show: |