[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: [PATCH] Use the right certificate when detailing SSL errors
From:       Alex Rousskov <rousskov () measurement-factory ! com>
Date:       2011-11-17 15:40:04
Message-ID: 4EC52AD4.8080608 () measurement-factory ! com
[Download RAW message or body]

On 11/15/2011 05:40 PM, Amos Jeffries wrote:
> On Tue, 15 Nov 2011 10:06:20 -0700, Alex Rousskov wrote:
>> Hello,
>>
>>     When an _intermediate_ SSL server certificate fails validation, we
>> should report errors using information in that certificate and not in
>> the top-level "peer" certificate. Otherwise, our details may make no
>> sense. For example, we could say that the validation failed due to the
>> expired certificate and show an expiration date in the future (because
>> the top-level certificate did not expire but the intermediate
>> certificate did).
>>
>> OpenSSL X509_STORE_CTX_get_current_cert() returns the certificate that
>> was being tested when our certificate validation callback was called.
>>
>>
>> Thank you,
>>
>> Alex.
> 
> 
> +1. Seems fine.

Committed to Squid trunk as r11864.


Thank you,

Alex.
[prev in list] [next in list] [prev in thread] [next in thread]