On Wed, Apr 01, 2009 at 12:07:49PM -0000, [email protected] wrote: > Author: rpluem > Date: Wed Apr 1 12:07:47 2009 > New Revision: 760866 > > URL: http://svn.apache.org/viewvc?rev=760866&view=rev > Log: ... > + if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) { > + apr_time_t start_time; > + apr_time_t end_time; > + apr_time_t now; > + > + start_time = parseASN1time(c->pool, > + ssl_var_lookup(NULL, c->base_server, > + c, NULL, > + "SSL_CLIENT_V_START")); > + end_time = parseASN1time(c->pool, > + ssl_var_lookup(NULL, c->base_server, > + c, NULL, > + "SSL_CLIENT_V_END"));
You can (and should) use X509_get_notBefore(), X509_get_notAfter() to get the end/start times form sslconn->client_cert; can check for expiry using X509_cmp_current_time() on the returned values. Should require 1 less ASN.1 date parser! Also maybe default these to "on" for the trunk? Sorry, I'm about a month behind on reading svn commits now :( Joe
