[PATCH] also catch expired CAs

Joe Orton joe at manyfish.co.uk
Fri Oct 24 12:17:13 EDT 2008


I've committed all your patches except this one - thanks a lot!

On Thu, Oct 23, 2008 at 04:00:11PM +0200, Ludwig Nussel wrote:
> Joe Orton wrote:
> > The NE_SSL_{EXPIRED,NOTYETVALID} logic has previously really only 
> > applied to the server cert itself, rather than to *any* cert in the 
> > chain.  This change could result in both _EXPIRED and _NOTYETVALID being 
> > set in the failures mask, which is kind of non-intuitive.
> > 
> > I think what I'd prefer to do here would be to add a new bit to the 
> > failures bitmask, which indicates that some cert in the chain is outside 
> > its validity period.  (NE_SSL_INVALIDCHAIN maybe?  Slightly awkward)
> > 
> > What do you think?
> 
> Firefox keeps intermediate certificates secret and just claims that
> the issuer certificate has expired. Konqueror also just says the
> certificate has expired. I guess there is no good solution as long
> as the user cannot inspect the whole chain.

Well, neon does (or should) expose the entire chain, so, it's possible 
for the app to make the distinction between the two (pretty different) 
error cases.  So I would rather go with a new failure code unless 
there's a really strong reason not to.

> One could also change the meaning of the NE_SSL_{EXPIRED,NOTYETVALID} 
> to "the server certificate itself or a certificate in the chain as 
> expired/is not yet valid".

"changing the meaning" is kind of "changing the API" here, so I'd rather 
avoid doing that also.

Regards, Joe




More information about the neon mailing list