[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-dev
Subject: Re: [PATCH] Use the right certificate when detailing SSL errors
From: Alex Rousskov <rousskov () measurement-factory ! com>
Date: 2011-11-17 15:40:04
Message-ID: 4EC52AD4.8080608 () measurement-factory ! com
[Download RAW message or body]
On 11/15/2011 05:40 PM, Amos Jeffries wrote:
> On Tue, 15 Nov 2011 10:06:20 -0700, Alex Rousskov wrote:
>> Hello,
>>
>> When an _intermediate_ SSL server certificate fails validation, we
>> should report errors using information in that certificate and not in
>> the top-level "peer" certificate. Otherwise, our details may make no
>> sense. For example, we could say that the validation failed due to the
>> expired certificate and show an expiration date in the future (because
>> the top-level certificate did not expire but the intermediate
>> certificate did).
>>
>> OpenSSL X509_STORE_CTX_get_current_cert() returns the certificate that
>> was being tested when our certificate validation callback was called.
>>
>>
>> Thank you,
>>
>> Alex.
>
>
> +1. Seems fine.
Committed to Squid trunk as r11864.
Thank you,
Alex.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic