gnutls: ignore invalid certificate dates with VERIFYPEER disabled

This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 5bdcb3caccad11ffd55fc1432f84e58d50ce15b9..5f3bc0cd36e5328c6ec739d364770774c0444388 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -38,6 +38,7 @@ This release includes the following bugfixes:
  o nss: make the fallback to SSLv3 work again
  o tool: prevent valgrind from reporting possibly lost memory (nss only)
  o nss: fix a memory leak when CURLOPT_CRLFILE is used
+ o gnutls: ignore invalid certificate dates with VERIFYPEER disabled
  o 
 
 This release includes the following known bugs:

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index f77ce66c67caca5ae2fa5ce2f4ffd47eb736fd3f..7f920b27adf466c9a1faf4e82758bc7507be521a 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -789,38 +789,48 @@ gtls_connect_step3(struct connectdata *conn,
   certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
 
   if(certclock == (time_t)-1) {
-    failf(data, "server cert expiration date verify failed");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
-
-  if(certclock < time(NULL)) {
     if(data->set.ssl.verifypeer) {
-      failf(data, "server certificate expiration date has passed.");
-      return CURLE_PEER_FAILED_VERIFICATION;
+      failf(data, "server cert expiration date verify failed");
+      return CURLE_SSL_CONNECT_ERROR;
     }
     else
-      infof(data, "\t server certificate expiration date FAILED\n");
+      infof(data, "\t server certificate expiration date verify FAILED\n");
+  }
+  else {
+    if(certclock < time(NULL)) {
+      if(data->set.ssl.verifypeer) {
+        failf(data, "server certificate expiration date has passed.");
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else
+        infof(data, "\t server certificate expiration date FAILED\n");
+    }
+    else
+      infof(data, "\t server certificate expiration date OK\n");
   }
-  else
-    infof(data, "\t server certificate expiration date OK\n");
 
   certclock = gnutls_x509_crt_get_activation_time(x509_cert);
 
   if(certclock == (time_t)-1) {
-    failf(data, "server cert activation date verify failed");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
-
-  if(certclock > time(NULL)) {
     if(data->set.ssl.verifypeer) {
-      failf(data, "server certificate not activated yet.");
-      return CURLE_PEER_FAILED_VERIFICATION;
+      failf(data, "server cert activation date verify failed");
+      return CURLE_SSL_CONNECT_ERROR;
     }
     else
-      infof(data, "\t server certificate activation date FAILED\n");
+      infof(data, "\t server certificate activation date verify FAILED\n");
+  }
+  else {
+    if(certclock > time(NULL)) {
+      if(data->set.ssl.verifypeer) {
+        failf(data, "server certificate not activated yet.");
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else
+        infof(data, "\t server certificate activation date FAILED\n");
+    }
+    else
+      infof(data, "\t server certificate activation date OK\n");
   }
-  else
-    infof(data, "\t server certificate activation date OK\n");
 
   /* Show: