Error code -8181 is not an SSL error code, it is an NSS error code, defined in mozilla/security/nss/lib/util/secerr.h.
#define SEC_ERROR_BASE (-0x2000) /* == -8192 */ /*...*/ SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11, I just added EXPIRED_CERTIFICATE as a new reason code in ValidityStatus. I'm not clear on your second question. Isn't the reason already in the ValidityStatus object you got in your cert approval callback? The addReason() method is used by the certificate validator to add to the list of reasons the peer's cert failed. Patrick wrote: >My JSS client is not happy with my server cert (it turns out that it's >expired) but the reason code it gets back is '-8181'. >This code does not map to an error message in >SSLCertificateApprovalCallback.ValidityStatus. > >So 2 questions from this: > >1. I could not figure out what '-8181' maps to in sslerr.h (which is where >the NSS error code live)... > >2. Should I add the new reason with the >SSLCertificateApprovalCallback.ValidityStatus.addReason method? > >-- P > > > >
