On 11/15/2011 05:40 PM, Amos Jeffries wrote:
> On Tue, 15 Nov 2011 10:06:20 -0700, Alex Rousskov wrote:
>> Hello,
>>
>> When an _intermediate_ SSL server certificate fails validation, we
>> should report errors using information in that certificate and not in
>> the top-level "peer" certificate. Otherwise, our details may make no
>> sense. For example, we could say that the validation failed due to the
>> expired certificate and show an expiration date in the future (because
>> the top-level certificate did not expire but the intermediate
>> certificate did).
>>
>> OpenSSL X509_STORE_CTX_get_current_cert() returns the certificate that
>> was being tested when our certificate validation callback was called.
>>
>>
>> Thank you,
>>
>> Alex.
>
>
> +1. Seems fine.
Committed to Squid trunk as r11864.
Thank you,
Alex.
Received on Thu Nov 17 2011 - 15:40:29 MST
This archive was generated by hypermail 2.2.0 : Fri Nov 18 2011 - 12:00:07 MST