Add a comment about gnutls date bits in certstat.

It's easy to miss the call disabling date checking and wonder why the
certstat bits are not set.

diff --git a/conn/ssl_gnutls.c b/conn/ssl_gnutls.c
index f941c5a57601251b88c88f8d409455118b720e55..987dcfdba0567886b19566ce6978c465f57673d1 100644 (file)
--- a/conn/ssl_gnutls.c
+++ b/conn/ssl_gnutls.c
@@ -347,6 +347,10 @@ static int tls_check_preauth(const gnutls_datum_t *certdata,
     return -1;
   }
 
+  /* Note: tls_negotiate() contains a call to
+   * gnutls_certificate_set_verify_flags() with a flag disabling
+   * GnuTLS checking of the dates.  So certstat shouldn't have the
+   * GNUTLS_CERT_EXPIRED and GNUTLS_CERT_NOT_ACTIVATED bits set. */
   if (SslVerifyDates != MUTT_NO)
   {
     if (gnutls_x509_crt_get_expiration_time(cert) < time(NULL))