From 3fb20b61b6baf098db8548b11f72aebfde8bfd4e Mon Sep 17 00:00:00 2001
From: Dylan Frank <b00mx0r@aureus.pw>
Date: Thu, 29 Mar 2018 11:11:55 -0700
Subject: [PATCH 1/1] Ignore expired or invalid client certificates (#1468).

Fixes #1345.
---
 include/modules/ssl.h | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/include/modules/ssl.h b/include/modules/ssl.h
index d3372c509..930cb6dc6 100644
--- a/include/modules/ssl.h
+++ b/include/modules/ssl.h
@@ -112,9 +112,21 @@ class ssl_cert : public refcountbase
 		return revoked;
 	}
 
+	/** Get certificate usability
+	* @return True if the certificate is not expired nor revoked
+	*/
+	bool IsUsable()
+	{
+		return !invalid && !revoked && error.empty();
+	}
+
+	/** Get CA trust status
+	* @return True if the certificate is issued by a CA
+	* and valid.
+	*/
 	bool IsCAVerified()
 	{
-		return trusted && !invalid && !revoked && !unknownsigner && error.empty();
+		return IsUsable() && trusted && !unknownsigner;
 	}
 
 	std::string GetMetaLine()
@@ -183,7 +195,9 @@ class SSLIOHook : public IOHook
 	 */
 	ssl_cert* GetCertificate() const
 	{
-		return certificate;
+		if (certificate && certificate->IsUsable())
+			return certificate;
+		return NULL;
 	}
 
 	/**
-- 
2.39.2