From: Dan Fandrich Date: Fri, 11 Jul 2014 21:21:31 +0000 (+0200) Subject: gnutls: ignore invalid certificate dates with VERIFYPEER disabled X-Git-Tag: curl-7_37_1~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=baf8b57b1d174748d5e01ac67a70f7f96c946637;p=thirdparty%2Fcurl.git gnutls: ignore invalid certificate dates with VERIFYPEER disabled This makes the behaviour consistent with what happens if a date can be extracted from the certificate but is expired. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5bdcb3cacc..5f3bc0cd36 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -38,6 +38,7 @@ This release includes the following bugfixes: o nss: make the fallback to SSLv3 work again o tool: prevent valgrind from reporting possibly lost memory (nss only) o nss: fix a memory leak when CURLOPT_CRLFILE is used + o gnutls: ignore invalid certificate dates with VERIFYPEER disabled o This release includes the following known bugs: diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index f77ce66c67..7f920b27ad 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn, certclock = gnutls_x509_crt_get_expiration_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert expiration date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock < time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate expiration date has passed."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert expiration date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate expiration date FAILED\n"); + infof(data, "\t server certificate expiration date verify FAILED\n"); + } + else { + if(certclock < time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate expiration date has passed."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate expiration date FAILED\n"); + } + else + infof(data, "\t server certificate expiration date OK\n"); } - else - infof(data, "\t server certificate expiration date OK\n"); certclock = gnutls_x509_crt_get_activation_time(x509_cert); if(certclock == (time_t)-1) { - failf(data, "server cert activation date verify failed"); - return CURLE_SSL_CONNECT_ERROR; - } - - if(certclock > time(NULL)) { if(data->set.ssl.verifypeer) { - failf(data, "server certificate not activated yet."); - return CURLE_PEER_FAILED_VERIFICATION; + failf(data, "server cert activation date verify failed"); + return CURLE_SSL_CONNECT_ERROR; } else - infof(data, "\t server certificate activation date FAILED\n"); + infof(data, "\t server certificate activation date verify FAILED\n"); + } + else { + if(certclock > time(NULL)) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate not activated yet."); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\t server certificate activation date FAILED\n"); + } + else + infof(data, "\t server certificate activation date OK\n"); } - else - infof(data, "\t server certificate activation date OK\n"); /* Show: