Re: [PATCH] Use the right certificate when detailing SSL errors

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 16 Nov 2011 13:40:07 +1300

 On Tue, 15 Nov 2011 10:06:20 -0700, Alex Rousskov wrote:
> Hello,
>
> When an _intermediate_ SSL server certificate fails validation,
> we
> should report errors using information in that certificate and not in
> the top-level "peer" certificate. Otherwise, our details may make no
> sense. For example, we could say that the validation failed due to
> the
> expired certificate and show an expiration date in the future
> (because
> the top-level certificate did not expire but the intermediate
> certificate did).
>
> OpenSSL X509_STORE_CTX_get_current_cert() returns the certificate
> that
> was being tested when our certificate validation callback was called.
>
>
> Thank you,
>
> Alex.

 +1. Seems fine.

 Amos
Received on Wed Nov 16 2011 - 00:40:15 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 17 2011 - 12:00:04 MST