Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 33435 invoked from network); 27 Apr 2009 19:46:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 27 Apr 2009 19:46:14 -0000 Received: (qmail 52548 invoked by uid 500); 27 Apr 2009 19:46:13 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 52443 invoked by uid 500); 27 Apr 2009 19:46:13 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 52434 invoked by uid 99); 27 Apr 2009 19:46:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Apr 2009 19:46:13 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 27 Apr 2009 19:46:12 +0000 Received: (qmail 33321 invoked by uid 2161); 27 Apr 2009 19:45:52 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id 124EE1721C for ; Mon, 27 Apr 2009 21:45:36 +0200 (CEST) Message-ID: <49F60B65.1060706@apache.org> Date: Mon, 27 Apr 2009 21:45:41 +0200 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: svn commit: r760866 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h References: <20090401120754.4D96E23889FD@eris.apache.org> <20090427160836.GA12166@redhat.com> In-Reply-To: <20090427160836.GA12166@redhat.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On 04/27/2009 06:08 PM, Joe Orton wrote: > On Wed, Apr 01, 2009 at 12:07:49PM -0000, rpluem@apache.org wrote: >> Author: rpluem >> Date: Wed Apr 1 12:07:47 2009 >> New Revision: 760866 >> >> URL: http://svn.apache.org/viewvc?rev=760866&view=rev >> Log: > ... >> + if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) { >> + apr_time_t start_time; >> + apr_time_t end_time; >> + apr_time_t now; >> + >> + start_time = parseASN1time(c->pool, >> + ssl_var_lookup(NULL, c->base_server, >> + c, NULL, >> + "SSL_CLIENT_V_START")); >> + end_time = parseASN1time(c->pool, >> + ssl_var_lookup(NULL, c->base_server, >> + c, NULL, >> + "SSL_CLIENT_V_END")); > > You can (and should) use X509_get_notBefore(), X509_get_notAfter() to > get the end/start times form sslconn->client_cert; can check for expiry > using X509_cmp_current_time() on the returned values. Should require 1 > less ASN.1 date parser! Thanks for the pointer. Due to bad luck this is already backported :-(. But I will have a look to improve this on trunk and propose it for backport afterwards > Also maybe default these to "on" for the trunk? Makes sense. I will tackle this separately and after the first issue. > Sorry, I'm about a month behind on reading svn commits now :( Joe No problem. Comments are always welcome. Regards RĂ¼diger