diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2023-05-30 12:14:49 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2023-05-30 12:14:49 +0000 |
| commit | db4edd41d3ba3d68c32cf26f7f1335ae8455f641 (patch) | |
| tree | 41b75ab1b9e0e268f929ffb23377b65a488db0b6 /usr.sbin/rpki-client/validate.c | |
| parent | 7a414d19c7705f7aec83348388a4be3f581af55d (diff) | |
Revert commitid ANSBO0rBvIUtTi45:
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@
Diffstat (limited to 'usr.sbin/rpki-client/validate.c')
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 0aa20157cca..69612a83900 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.62 2023/05/23 06:42:08 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.63 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -415,7 +415,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, cryptoerrx("OBJ_dup"); if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid)) cryptoerrx("X509_VERIFY_PARAM_add0_policy"); - X509_VERIFY_PARAM_set_time(params, evaluation_time); + X509_VERIFY_PARAM_set_time(params, get_current_time()); flags = X509_V_FLAG_CRL_CHECK; flags |= X509_V_FLAG_PARTIAL_CHAIN; |