if (status & GNUTLS_CERT_REVOKED)
_gnutls_buffer_append_str (&str, _("The certificate chain revoked. "));
- if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
- _gnutls_buffer_append_str (&str, _("The revocation data are too old. "));
+ if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
+ _gnutls_buffer_append_str (&str, _("The revocation data are old and have been superseded. "));
if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
_gnutls_buffer_append_str (&str, _("The revocation data are invalid. "));
goto cleanup;
}
+ /* Report but do not fail on the following errors. That is
+ * because including the OCSP response in the handshake shouldn't
+ * cause more problems that not including it.
+ */
if (ntime == -1)
{
if (now - vtime > MAX_OCSP_VALIDITY_SECS)
if (ntime < now)
{
_gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n");
- if (now-ntime > MAX_OCSP_VALIDITY_SECS)
- *ostatus |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
}
}
* should not be trusted.
* @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
* @GNUTLS_CERT_EXPIRED: The certificate has expired.
- * @GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: The OCSP revocation data are too old.
* @GNUTLS_CERT_REVOCATION_DATA_INVALID: The OCSP revocation data are invalid.
+ * @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and have been superseded.
* @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date.
* @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
*
GNUTLS_CERT_NOT_ACTIVATED = 1<<9,
GNUTLS_CERT_EXPIRED = 1<<10,
GNUTLS_CERT_SIGNATURE_FAILURE = 1<<11,
- GNUTLS_CERT_REVOCATION_DATA_TOO_OLD = 1<<12,
+ GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1<<12,
GNUTLS_CERT_REVOCATION_DATA_INVALID = 1<<13,
GNUTLS_CERT_UNEXPECTED_OWNER = 1<<14,
GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1<<15,
*output |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE;
if (gnutls_x509_crl_get_next_update (crl) < now)
- *output |= GNUTLS_CERT_REVOCATION_DATA_TOO_OLD;
+ *output |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED;
cleanup: