From 387a12ab5ef13d51f26c875f33437896a3cc225c Mon Sep 17 00:00:00 2001 From: Simon Rozman Date: Tue, 23 Aug 2016 17:41:20 +0200 Subject: [PATCH] Additional cases of invalid certificate caught --- lib/TLS/src/Method.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/TLS/src/Method.cpp b/lib/TLS/src/Method.cpp index 3f70aed..bd698fc 100644 --- a/lib/TLS/src/Method.cpp +++ b/lib/TLS/src/Method.cpp @@ -747,9 +747,9 @@ void eap::method_tls::verify_server_trust() const if (context->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR && (cfg_method->m_trusted_root_ca.empty() || (context->TrustStatus.dwErrorStatus & ~CERT_TRUST_IS_UNTRUSTED_ROOT) != CERT_TRUST_NO_ERROR)) { - if (context->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID) + if (context->TrustStatus.dwErrorStatus & (CERT_TRUST_IS_NOT_TIME_VALID | CERT_TRUST_IS_NOT_TIME_NESTED)) throw sec_runtime_error(SEC_E_CERT_EXPIRED, __FUNCTION__ " Server certificate has expired (or is not valid yet)."); - else if (context->TrustStatus.dwErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT) + else if (context->TrustStatus.dwErrorStatus & (CERT_TRUST_IS_UNTRUSTED_ROOT | CERT_TRUST_IS_PARTIAL_CHAIN)) throw sec_runtime_error(SEC_E_UNTRUSTED_ROOT, __FUNCTION__ " Server's certificate not issued by one of configured trusted root CAs."); else throw sec_runtime_error(SEC_E_CERT_UNKNOWN, __FUNCTION__ " Error validating server certificate.");