[PATCH] also catch expired CAs
Joe Orton
joe at manyfish.co.uk
Thu Oct 23 09:13:58 EDT 2008
Nice catch! Hmmm.
The NE_SSL_{EXPIRED,NOTYETVALID} logic has previously really only
applied to the server cert itself, rather than to *any* cert in the
chain. This change could result in both _EXPIRED and _NOTYETVALID being
set in the failures mask, which is kind of non-intuitive.
I think what I'd prefer to do here would be to add a new bit to the
failures bitmask, which indicates that some cert in the chain is outside
its validity period. (NE_SSL_INVALIDCHAIN maybe? Slightly awkward)
What do you think?
Regards, Joe
More information about the neon
mailing list