Loading CHANGES +8 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,14 @@ Changelog Version 7.16.4 (10 July 2007) Daniel S (10 July 2007) - Kees Cook notified us about a security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to properly reject some outdated or not yet valid server certificates when built with GnuTLS. Kees also provided the patch. James H (5 July 2007) - Gavrie Philipson provided a patch that will use a more specific error message for an scp:// upload failure. If libssh2 has his matching Loading RELEASE-NOTES +4 −1 Original line number Diff line number Diff line Loading @@ -22,6 +22,9 @@ This release includes the following bugfixes: o fixed the 10-at-a-time.c example o FTP over SOCKS proxy o improved error messages on SCP upload failures o security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to properly reject some outdated or not yet valid server certificates when built with GnuTLS This release includes the following known bugs: Loading @@ -39,6 +42,6 @@ This release would not have looked like this without help, code, reports and advice from friends like these: Robert Iakobashvili, James Housley, Gnter Knauf, James Bursa, Song Ma, Thomas J. Moore, Gavrie Philipson Thomas J. Moore, Gavrie Philipson, Kees Cook Thanks! (and sorry if I forgot to mention someone) lib/gtls.c +37 −0 Original line number Diff line number Diff line Loading @@ -420,6 +420,43 @@ Curl_gtls_connect(struct connectdata *conn, else infof(data, "\t common name: %s (matched)\n", certbuf); /* Check for time-based validity */ clock = gnutls_x509_crt_get_expiration_time(x509_cert); if(clock == (time_t)-1) { failf(data, "server cert expiration date verify failed"); return CURLE_SSL_CONNECT_ERROR; } if(clock < time(NULL)) { if (data->set.ssl.verifypeer) { failf(data, "server certificate expiration date has passed."); return CURLE_SSL_PEER_CERTIFICATE; } else infof(data, "\t server certificate expiration date FAILED\n"); } else infof(data, "\t server certificate expiration date OK\n"); clock = gnutls_x509_crt_get_activation_time(x509_cert); if(clock == (time_t)-1) { failf(data, "server cert activation date verify failed"); return CURLE_SSL_CONNECT_ERROR; } if(clock > time(NULL)) { if (data->set.ssl.verifypeer) { failf(data, "server certificate not activated yet."); return CURLE_SSL_PEER_CERTIFICATE; } else infof(data, "\t server certificate activation date FAILED\n"); } else infof(data, "\t server certificate activation date OK\n"); /* Show: - ciphers used Loading Loading
CHANGES +8 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,14 @@ Changelog Version 7.16.4 (10 July 2007) Daniel S (10 July 2007) - Kees Cook notified us about a security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to properly reject some outdated or not yet valid server certificates when built with GnuTLS. Kees also provided the patch. James H (5 July 2007) - Gavrie Philipson provided a patch that will use a more specific error message for an scp:// upload failure. If libssh2 has his matching Loading
RELEASE-NOTES +4 −1 Original line number Diff line number Diff line Loading @@ -22,6 +22,9 @@ This release includes the following bugfixes: o fixed the 10-at-a-time.c example o FTP over SOCKS proxy o improved error messages on SCP upload failures o security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to properly reject some outdated or not yet valid server certificates when built with GnuTLS This release includes the following known bugs: Loading @@ -39,6 +42,6 @@ This release would not have looked like this without help, code, reports and advice from friends like these: Robert Iakobashvili, James Housley, Gnter Knauf, James Bursa, Song Ma, Thomas J. Moore, Gavrie Philipson Thomas J. Moore, Gavrie Philipson, Kees Cook Thanks! (and sorry if I forgot to mention someone)
lib/gtls.c +37 −0 Original line number Diff line number Diff line Loading @@ -420,6 +420,43 @@ Curl_gtls_connect(struct connectdata *conn, else infof(data, "\t common name: %s (matched)\n", certbuf); /* Check for time-based validity */ clock = gnutls_x509_crt_get_expiration_time(x509_cert); if(clock == (time_t)-1) { failf(data, "server cert expiration date verify failed"); return CURLE_SSL_CONNECT_ERROR; } if(clock < time(NULL)) { if (data->set.ssl.verifypeer) { failf(data, "server certificate expiration date has passed."); return CURLE_SSL_PEER_CERTIFICATE; } else infof(data, "\t server certificate expiration date FAILED\n"); } else infof(data, "\t server certificate expiration date OK\n"); clock = gnutls_x509_crt_get_activation_time(x509_cert); if(clock == (time_t)-1) { failf(data, "server cert activation date verify failed"); return CURLE_SSL_CONNECT_ERROR; } if(clock > time(NULL)) { if (data->set.ssl.verifypeer) { failf(data, "server certificate not activated yet."); return CURLE_SSL_PEER_CERTIFICATE; } else infof(data, "\t server certificate activation date FAILED\n"); } else infof(data, "\t server certificate activation date OK\n"); /* Show: - ciphers used Loading
