gnutls: ignore invalid certificate dates with VERIFYPEER disabled

This makes the behaviour consistent with what happens if a date can be extracted from the certificate but is expired.

gnutls: ignore invalid certificate dates with VERIFYPEER disabled
baf8b57b · Dan Fandrich · f9b80cde · baf8b57b · baf8b57b
Commit baf8b57b authored 10 years ago by Dan Fandrich
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -38,6 +38,7 @@ This release includes the following bugfixes:
 o nss: make the fallback to SSLv3 work again
 o tool: prevent valgrind from reporting possibly lost memory (nss only)
 o nss: fix a memory leak when CURLOPT_CRLFILE is used
+ o gnutls: ignore invalid certificate dates with VERIFYPEER disabled
 o 

 This release includes the following known bugs:

--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn,
  certclock = gnutls_x509_crt_get_expiration_time(x509_cert);

  if(certclock == (time_t)-1) {
-    failf(data, "server cert expiration date verify failed");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
-
-  if(certclock < time(NULL)) {
    if(data->set.ssl.verifypeer) {
-      failf(data, "server certificate expiration date has passed.");
-      return CURLE_PEER_FAILED_VERIFICATION;
+      failf(data, "server cert expiration date verify failed");
+      return CURLE_SSL_CONNECT_ERROR;
    }
    else
-      infof(data, "\t server certificate expiration date FAILED\n");
+      infof(data, "\t server certificate expiration date verify FAILED\n");
+  }
+  else {
+    if(certclock < time(NULL)) {
+      if(data->set.ssl.verifypeer) {
+        failf(data, "server certificate expiration date has passed.");
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else
+        infof(data, "\t server certificate expiration date FAILED\n");
+    }
+    else
+      infof(data, "\t server certificate expiration date OK\n");
  }
-  else
-    infof(data, "\t server certificate expiration date OK\n");

  certclock = gnutls_x509_crt_get_activation_time(x509_cert);

  if(certclock == (time_t)-1) {
-    failf(data, "server cert activation date verify failed");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
-
-  if(certclock > time(NULL)) {
    if(data->set.ssl.verifypeer) {
-      failf(data, "server certificate not activated yet.");
-      return CURLE_PEER_FAILED_VERIFICATION;
+      failf(data, "server cert activation date verify failed");
+      return CURLE_SSL_CONNECT_ERROR;
    }
    else
-      infof(data, "\t server certificate activation date FAILED\n");
+      infof(data, "\t server certificate activation date verify FAILED\n");
+  }
+  else {
+    if(certclock > time(NULL)) {
+      if(data->set.ssl.verifypeer) {
+        failf(data, "server certificate not activated yet.");
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else
+        infof(data, "\t server certificate activation date FAILED\n");
+    }
+    else
+      infof(data, "\t server certificate activation date OK\n");
  }
-  else
-    infof(data, "\t server certificate activation date OK\n");

  /* Show: