moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

7.16.4 preps

This commit is contained in:
Daniel Stenberg 2007-07-10 21:36:30 +00:00
parent f84642197f
commit 4b1782c371
3 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGES
View File

@ -6,6 +6,14 @@
Changelog
Version 7.16.4 (10 July 2007)
Daniel S (10 July 2007)
- Kees Cook notified us about a security flaw
(http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to
properly reject some outdated or not yet valid server certificates when
built with GnuTLS. Kees also provided the patch.
James H (5 July 2007)
- Gavrie Philipson provided a patch that will use a more specific error
message for an scp:// upload failure. If libssh2 has his matching

5
RELEASE-NOTES
View File

@ -22,6 +22,9 @@ This release includes the following bugfixes:
o fixed the 10-at-a-time.c example
o FTP over SOCKS proxy
o improved error messages on SCP upload failures
o security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl
failed to properly reject some outdated or not yet valid server certificates
when built with GnuTLS
This release includes the following known bugs:
@ -39,6 +42,6 @@ This release would not have looked like this without help, code, reports and
advice from friends like these:
Robert Iakobashvili, James Housley, Günter Knauf, James Bursa, Song Ma,
Thomas J. Moore, Gavrie Philipson
Thomas J. Moore, Gavrie Philipson, Kees Cook
Thanks! (and sorry if I forgot to mention someone)

37
lib/gtls.c
View File

@ -420,6 +420,43 @@ Curl_gtls_connect(struct connectdata *conn,
else
infof(data, "\t common name: %s (matched)\n", certbuf);
/* Check for time-based validity */
clock = gnutls_x509_crt_get_expiration_time(x509_cert);
if(clock == (time_t)-1) {
failf(data, "server cert expiration date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
if(clock < time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed.");
return CURLE_SSL_PEER_CERTIFICATE;
}
else
infof(data, "\t server certificate expiration date FAILED\n");
}
else
infof(data, "\t server certificate expiration date OK\n");
clock = gnutls_x509_crt_get_activation_time(x509_cert);
if(clock == (time_t)-1) {
failf(data, "server cert activation date verify failed");
return CURLE_SSL_CONNECT_ERROR;
}
if(clock > time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet.");
return CURLE_SSL_PEER_CERTIFICATE;
}
else
infof(data, "\t server certificate activation date FAILED\n");
}
else
infof(data, "\t server certificate activation date OK\n");
/* Show:
- ciphers used