summaryrefslogtreecommitdiff
path: root/src/lib/libssl/man/SSL_clear.3
diff options
context:
space:
mode:
authorjsing <>2020-05-31 17:23:39 +0000
committerjsing <>2020-05-31 17:23:39 +0000
commitac59d0e35f28383b918365d1f209defd9cc9ffd5 (patch)
tree01f26b95072749b2981e5122395e5eebc58f1fdf /src/lib/libssl/man/SSL_clear.3
parenta49dcaedc471e79508b3e5674c538ca90f5c4e2e (diff)
downloadopenbsd-ac59d0e35f28383b918365d1f209defd9cc9ffd5.tar.gz
openbsd-ac59d0e35f28383b918365d1f209defd9cc9ffd5.tar.bz2
openbsd-ac59d0e35f28383b918365d1f209defd9cc9ffd5.zip
When building a chain look for non-expired certificates first.
Currently, when building a certificate chain we look up an issuer and if it is the only issuer certificate available we still use it even if it has expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted certificates are processed first and if one of these happens to be expired it will be used to build the chain, even if there is another non-expired option in the trusted store. Rework this code so that we first look for a non-expired untrusted certificate. If one does not exist then we take a look in the trusted store to see if we would be able to build the chain and only if there is not, do we then look for an expired untrusted certificate. This makes certificate validation possible for various sites that are serving expired AddTrust certificates. Issue reported by Christian Heimes via GitHub. ok beck@ tb@
Diffstat (limited to 'src/lib/libssl/man/SSL_clear.3')
0 files changed, 0 insertions, 0 deletions