[PATCH] also catch expired CAs
Ludwig Nussel
ludwig.nussel at suse.de
Thu Oct 23 10:00:11 EDT 2008
Joe Orton wrote:
> The NE_SSL_{EXPIRED,NOTYETVALID} logic has previously really only
> applied to the server cert itself, rather than to *any* cert in the
> chain. This change could result in both _EXPIRED and _NOTYETVALID being
> set in the failures mask, which is kind of non-intuitive.
>
> I think what I'd prefer to do here would be to add a new bit to the
> failures bitmask, which indicates that some cert in the chain is outside
> its validity period. (NE_SSL_INVALIDCHAIN maybe? Slightly awkward)
>
> What do you think?
Firefox keeps intermediate certificates secret and just claims that
the issuer certificate has expired. Konqueror also just says the
certificate has expired. I guess there is no good solution as long
as the user cannot inspect the whole chain. One could also change
the meaning of the NE_SSL_{EXPIRED,NOTYETVALID} to "the server
certificate itself or a certificate in the chain as expired/is not
yet valid".
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the neon
mailing list