---
.../plugins/revocation/revocation_validator.c | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 34f347d..b5ac32e 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -366,7 +366,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
bool cache, crl_t *base)
{
enumerator_t *enumerator;
- time_t revocation, valid_until;
+ time_t revocation, valid_from, valid_until, now;
crl_reason_t reason;
chunk_t serial;
crl_t *crl = (crl_t*)cand;
@@ -423,9 +423,10 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
/* select the better of the two CRLs */
if (best == NULL || crl_is_newer(crl, (crl_t*)best))
{
+ now = time(NULL);
DESTROY_IF(best);
best = cand;
- if (best->get_validity(best, NULL, NULL, &valid_until))
+ if (best->get_validity(best, NULL, &valid_from, &valid_until))
{
DBG1(DBG_CFG, " crl is valid: until %T", &valid_until, FALSE);
*valid = VALIDATION_GOOD;
@@ -436,7 +437,15 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
}
else
{
- DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE);
+ if (now > valid_until)
+ {
+ DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " crl not valid yet: valid from %T",
+ &valid_from, FALSE);
+ }
*valid = VALIDATION_STALE;
}
}
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
