diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2009-11-24 12:37:38 +0100 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2009-11-24 12:37:38 +0100 |
commit | c4570d188e55f2fd27319c98ef52a34c678b8bf4 (patch) | |
tree | d63d310b7468636ead54c181e2946bb43ded6988 | |
parent | 227583ba597191d08cbdb4254332181ed466548b (diff) | |
download | strongswan-c4570d188e55f2fd27319c98ef52a34c678b8bf4.tar.bz2 strongswan-c4570d188e55f2fd27319c98ef52a34c678b8bf4.tar.xz |
issue error message for expired certificates in OCSP trust chain checking
-rw-r--r-- | src/pluto/ocsp.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index d1533cc5a..b1f558ebf 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -998,6 +998,7 @@ static bool valid_ocsp_response(response_t *res) identification_t *subject = certificate->get_subject(certificate); identification_t *issuer = certificate->get_issuer(certificate); chunk_t authKeyID = x509->get_authKeyIdentifier(x509); + time_t not_before, not_after; DBG(DBG_CONTROL, DBG_log("subject: '%Y'", subject); @@ -1008,8 +1009,11 @@ static bool valid_ocsp_response(response_t *res) } ) - if (!certificate->get_validity(certificate, NULL, NULL, NULL)) + if (!certificate->get_validity(certificate, NULL, ¬_before, ¬_after)) { + plog("certificate is invalid (valid from %T to %T)", + ¬_before, FALSE, ¬_after, FALSE); + unlock_authcert_list("valid_ocsp_response"); return FALSE; } |