httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r760866 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Date Mon, 27 Apr 2009 19:45:41 GMT


On 04/27/2009 06:08 PM, Joe Orton wrote:
> On Wed, Apr 01, 2009 at 12:07:49PM -0000, rpluem@apache.org wrote:
>> Author: rpluem
>> Date: Wed Apr  1 12:07:47 2009
>> New Revision: 760866
>>
>> URL: http://svn.apache.org/viewvc?rev=760866&view=rev
>> Log:
> ...
>> +        if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
>> +            apr_time_t start_time;
>> +            apr_time_t end_time;
>> +            apr_time_t now;
>> +
>> +            start_time = parseASN1time(c->pool,
>> +                                       ssl_var_lookup(NULL, c->base_server,
>> +                                                      c, NULL,
>> +                                                      "SSL_CLIENT_V_START"));
>> +            end_time = parseASN1time(c->pool,
>> +                                     ssl_var_lookup(NULL, c->base_server,
>> +                                                    c, NULL,
>> +                                                    "SSL_CLIENT_V_END"));
> 
> You can (and should) use X509_get_notBefore(), X509_get_notAfter() to 
> get the end/start times form sslconn->client_cert; can check for expiry 
> using X509_cmp_current_time() on the returned values.  Should require 1 
> less ASN.1 date parser!

Thanks for the pointer. Due to bad luck this is already backported :-(.
But I will have a look to improve this on trunk and propose it for backport
afterwards

> Also maybe default these to "on" for the trunk?

Makes sense. I will tackle this separately and after the first issue.

> Sorry, I'm about a month behind on reading svn commits now :( Joe


No problem. Comments are always welcome.

Regards

RĂ¼diger



Mime
View raw message