On 11/15/2011 05:40 PM, Amos Jeffries wrote: > On Tue, 15 Nov 2011 10:06:20 -0700, Alex Rousskov wrote: >> Hello, >> >> When an _intermediate_ SSL server certificate fails validation, we >> should report errors using information in that certificate and not in >> the top-level "peer" certificate. Otherwise, our details may make no >> sense. For example, we could say that the validation failed due to the >> expired certificate and show an expiration date in the future (because >> the top-level certificate did not expire but the intermediate >> certificate did). >> >> OpenSSL X509_STORE_CTX_get_current_cert() returns the certificate that >> was being tested when our certificate validation callback was called. >> >> >> Thank you, >> >> Alex. > > > +1. Seems fine.
Committed to Squid trunk as r11864. Thank you, Alex.
