From baf8b57b1d174748d5e01ac67a70f7f96c946637 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 11 Jul 2014 23:21:31 +0200 Subject: [PATCH] gnutls: ignore invalid certificate dates with VERIFYPEER disabled This makes the behaviour consistent with what happens if a date can be extracted from the certificate but is expired. --- RELEASE-NOTES | 1 + lib/vtls/gtls.c | 50 ++++++++++++++++++++++++++++++-------------------- 2 files changed, 31 insertions(+), 20 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5bdcb3c..5f3bc0c 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -38,6 +38,7 @@ This release includes the following bugfixes: o nss: make the fallback to SSLv3 work again o tool: prevent valgrind from reporting possibly lost memory (nss only) o nss: fix a memory leak when CURLOPT_CRLFILE is used + o gnutls: ignore invalid certificate dates with VERIFYPEER disabled o This release includes the following known bugs: diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index f77ce66..7f920b2 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn, certclock = gnutls_x509_crt_get_expiration_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert expiration date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock < time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate expiration date has passed."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert expiration date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate expiration date FAILED\n"); + infof(data, "\t server certificate expiration date verify FAILED\n"); + } + else { + if(certclock < time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate expiration date has passed."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate expiration date FAILED\n"); + } + else + infof(data, "\t server certificate expiration date OK\n"); } - else - infof(data, "\t server certificate expiration date OK\n"); certclock = gnutls_x509_crt_get_activation_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert activation date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock > time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate not activated yet."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert activation date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate activation date FAILED\n"); + infof(data, "\t server certificate activation date verify FAILED\n"); + } + else { + if(certclock > time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate not activated yet."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate activation date FAILED\n"); + } + else + infof(data, "\t server certificate activation date OK\n"); } - else - infof(data, "\t server certificate activation date OK\n"); /* Show: -- 2.7.4