Reject certs and CRLs from the future

commit: 50a5c53398b5ffc3cc997a8c7d432a025c8de2f3 [log] [tgz]
author: Paul Bakker <p.j.bakker@polarssl.org> Tue Jul 08 10:59:10 2014 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Jul 08 10:59:10 2014 +0200
tree: fc2d276027caa94a1e6fe6274e076b07ebb3f8f0
parent: 0d844dd650536c19c13b67cbad82efcffd6a8d4a [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 513f9f5..f1fc690 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -8,6 +8,7 @@
    * Forbid change of server certificate during renegotiation to prevent
      "triple handshake" attack when authentication mode is optional (the
      attack was already impossible when authentication is required).
+   * Check notBefore timestamp of certificates and CRLs from the future.
 
 Bugfix
    * Fixed X.509 hostname comparison (with non-regular characters)
commit	50a5c53398b5ffc3cc997a8c7d432a025c8de2f3	[log] [tgz]
author	Paul Bakker <p.j.bakker@polarssl.org>	Tue Jul 08 10:59:10 2014 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Jul 08 10:59:10 2014 +0200
tree	fc2d276027caa94a1e6fe6274e076b07ebb3f8f0
parent	0d844dd650536c19c13b67cbad82efcffd6a8d4a [diff] [blame]