[PATCH] also catch expired CAs

Ludwig Nussel ludwig.nussel at suse.de
Thu Oct 23 10:00:11 EDT 2008

Joe Orton wrote:
> The NE_SSL_{EXPIRED,NOTYETVALID} logic has previously really only 
> applied to the server cert itself, rather than to *any* cert in the 
> chain.  This change could result in both _EXPIRED and _NOTYETVALID being 
> set in the failures mask, which is kind of non-intuitive.
> I think what I'd prefer to do here would be to add a new bit to the 
> failures bitmask, which indicates that some cert in the chain is outside 
> its validity period.  (NE_SSL_INVALIDCHAIN maybe?  Slightly awkward)
> What do you think?

Firefox keeps intermediate certificates secret and just claims that
the issuer certificate has expired. Konqueror also just says the
certificate has expired. I guess there is no good solution as long
as the user cannot inspect the whole chain. One could also change
the meaning of the NE_SSL_{EXPIRED,NOTYETVALID} to "the server
certificate itself or a certificate in the chain as expired/is not
yet valid".


 (o_   Ludwig Nussel
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

More information about the neon mailing list