X509 time: tighten validation per RFC 5280

- Reject fractional seconds - Reject offsets - Check that the date/time digits are in valid range. - Add documentation for X509_cmp_time GH issue 2620 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2017-02-17 19:00:15 +0100
committer: Emilia Kasper <emilia@openssl.org> 2017-02-24 17:37:08 +0100
commit: 80770da39ebba0101079477611b7ce2f426653c5 (patch)
tree: df2d381df58d8d0e9ad68dead17ea96c1ad17ddb /CHANGES
parent: b169c0ec40408566270fb638bcbfab01a0d2dc60 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 3e91a0899e..cda3790cc1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 1.1.0e and 1.1.1 [xx XXX xxxx]
 
+  *) Certificate time validation (X509_cmp_time) enforces stricter
+     compliance with RFC 5280. Fractional seconds and timezone offsets
+     are no longer allowed.
+     [Emilia Käsper]
+
   *) Add support for SipHash
      [Todd Short]
author	Emilia Kasper <emilia@openssl.org>	2017-02-17 19:00:15 +0100
committer	Emilia Kasper <emilia@openssl.org>	2017-02-24 17:37:08 +0100
commit	80770da39ebba0101079477611b7ce2f426653c5 (patch)
tree	df2d381df58d8d0e9ad68dead17ea96c1ad17ddb /CHANGES
parent	b169c0ec40408566270fb638bcbfab01a0d2dc60 (diff)