deal with crls being expired / not-yet-valid.

if a crl is expired or not-yet-valid SSL_get_verify_result() will return these errors too so check for them explicitly instead of depending on X509_V_OK. found by @dacechavez
2024-11-16 15:06:37 +01:00 · 2019-01-19 11:49:54 +01:00 · 2019-01-19 11:49:54 +01:00 · 3f083d6126
commit 3f083d6126
parent d1e87c1a54
1 changed files with 6 additions and 1 deletions
--- a/src/connection.c
+++ b/src/connection.c
@ -306,7 +306,12 @@ kore_connection_handle(struct connection *c)
 		}

 		r = SSL_get_verify_result(c->ssl);
-		if (r != X509_V_OK) {
+		switch (r) {
+		case X509_V_OK:
+		case X509_V_ERR_CRL_NOT_YET_VALID:
+		case X509_V_ERR_CRL_HAS_EXPIRED:
+			break;
+		default:
 			kore_debug("SSL_get_verify_result(): %d, %s",
 			    r, ssl_errno_s);
 			return (KORE_RESULT_ERROR);