[PATCH] catch expired certificates in the chain
Joe Orton
joe at manyfish.co.uk
Tue Mar 3 18:01:11 EST 2009
On Thu, Feb 12, 2009 at 03:20:24PM +0000, Joe Orton wrote:
> On Wed, Feb 11, 2009 at 12:47:32PM +0000, Joe Orton wrote:
> > This is what I have in my current wc: it is over-complicated since it
> > requires doing a re-verification of the cert. It should be possible to
> > hook into the OpenSSL verify callback (SSL_CTX_set_verify) to do this
> > properly but my naive attempts to do so caused test failures.
>
> I got it working via that callback, and it's much simpler. I'll commit
> the below soon.
Committed in r1641 though it doesn't work correctly with GnuTLS. I've
also added an NE_SSL_REVOKED failure bit so that's ready for support of
CRL/OCSP-based revocation (not that I'm working on either!).
Thanks again!
Regards, Joe
More information about the neon
mailing list