[PATCH] also catch expired CAs

Joe Orton joe at manyfish.co.uk
Thu Oct 23 09:13:58 EDT 2008


Nice catch!  Hmmm.

The NE_SSL_{EXPIRED,NOTYETVALID} logic has previously really only 
applied to the server cert itself, rather than to *any* cert in the 
chain.  This change could result in both _EXPIRED and _NOTYETVALID being 
set in the failures mask, which is kind of non-intuitive.

I think what I'd prefer to do here would be to add a new bit to the 
failures bitmask, which indicates that some cert in the chain is outside 
its validity period.  (NE_SSL_INVALIDCHAIN maybe?  Slightly awkward)

What do you think?

Regards, Joe




More information about the neon mailing list