aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/ssl_gnutls.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index b4bc72d5..f5e0ad47 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -165,11 +165,15 @@ static int verify_certificate_callback( gnutls_session_t session )
if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
+#ifdef GNUTLS_CERT_NOT_ACTIVATED
+ /* Amusingly, the GnuTLS function used above didn't check for expiry
+ until GnuTLS 2.8 or so. (See CVE-2009-1417) */
if( status & GNUTLS_CERT_NOT_ACTIVATED )
verifyret |= VERIFY_CERT_NOT_ACTIVATED;
if( status & GNUTLS_CERT_EXPIRED )
verifyret |= VERIFY_CERT_EXPIRED;
+#endif
/* The following check is already performed inside
* gnutls_certificate_verify_peers2, so we don't need it.
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-27 20:03:38 +0000