On 04/27/2009 06:08 PM, Joe Orton wrote: > On Wed, Apr 01, 2009 at 12:07:49PM -0000, [email protected] wrote: >> Author: rpluem >> Date: Wed Apr 1 12:07:47 2009 >> New Revision: 760866 >> >> URL: http://svn.apache.org/viewvc?rev=760866&view=rev >> Log: > ... >> + if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) { >> + apr_time_t start_time; >> + apr_time_t end_time; >> + apr_time_t now; >> + >> + start_time = parseASN1time(c->pool, >> + ssl_var_lookup(NULL, c->base_server, >> + c, NULL, >> + >> "SSL_CLIENT_V_START")); >> + end_time = parseASN1time(c->pool, >> + ssl_var_lookup(NULL, c->base_server, >> + c, NULL, >> + "SSL_CLIENT_V_END")); > > You can (and should) use X509_get_notBefore(), X509_get_notAfter() to > get the end/start times form sslconn->client_cert; can check for expiry > using X509_cmp_current_time() on the returned values. Should require 1 > less ASN.1 date parser!
Thanks for the pointer. Due to bad luck this is already backported :-(. But I will have a look to improve this on trunk and propose it for backport afterwards > Also maybe default these to "on" for the trunk? Makes sense. I will tackle this separately and after the first issue. > Sorry, I'm about a month behind on reading svn commits now :( Joe No problem. Comments are always welcome. Regards Rüdiger
