summaryrefslogtreecommitdiffstats
path: root/src/p11_child
diff options
context:
space:
mode:
Diffstat (limited to 'src/p11_child')
-rw-r--r--src/p11_child/p11_child_nss.c22
1 files changed, 12 insertions, 10 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 41d9fd11f..39c88d9f4 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -272,6 +272,18 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
cert_list_node->cert->nickname,
cert_list_node->cert->subjectName);
+ rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert,
+ PR_TRUE, certificateUsageSSLClient,
+ NULL, NULL);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Certificate [%s][%s] not valid [%d], skipping.\n",
+ cert_list_node->cert->nickname,
+ cert_list_node->cert->subjectName, PR_GetError());
+ continue;
+ }
+
+
if (found_cert == NULL) {
found_cert = cert_list_node->cert;
} else {
@@ -291,16 +303,6 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
goto done;
}
- rv = CERT_VerifyCertificateNow(handle, found_cert, PR_TRUE,
- certificateUsageSSLClient, NULL, NULL);
- if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE,
- "CERT_VerifyCertificateNow failed [%d].\n",
- PR_GetError());
- ret = EIO;
- goto done;
- }
-
if (mode == OP_AUTH) {
rv = PK11_GenerateRandom(random_value, sizeof(random_value));
if (rv != SECSuccess) {
generated by cgit (git 2.34.1) at 2024-05-23 20:09:42 +0000