$OpenBSD$ index 4640c94..18d9f55 100644 --- security/manager/ssl/src/SSLServerCertVerification.cpp.orig Fri Feb 20 15:40:38 2015 +++ security/manager/ssl/src/SSLServerCertVerification.cpp Fri Feb 20 15:40:38 2015 @@ -299,6 +299,7 @@ MapCertErrorToProbeValue(PRErrorCode errorCode) switch (errorCode) { case SEC_ERROR_UNKNOWN_ISSUER: return 2; + case SEC_ERROR_CA_CERT_INVALID: return 3; case SEC_ERROR_UNTRUSTED_ISSUER: return 4; case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: return 5; case SEC_ERROR_UNTRUSTED_CERT: return 6; @@ -333,6 +334,7 @@ MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert, // called if CertVerifier::VerifyCert succeeded. switch (defaultErrorCodeToReport) { case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + case SEC_ERROR_CA_CERT_INVALID: case SEC_ERROR_UNKNOWN_ISSUER: { collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED; @@ -567,6 +569,7 @@ PRErrorCodeToOverrideType(PRErrorCode errorCode) case SEC_ERROR_UNTRUSTED_CERT: case SEC_ERROR_INADEQUATE_KEY_USAGE: case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + case SEC_ERROR_CA_CERT_INVALID: // We group all these errors as "cert not trusted" return nsICertOverrideService::ERROR_UNTRUSTED; case SSL_ERROR_BAD_CERT_DOMAIN: @@ -634,8 +637,9 @@ NSSDetermineCertOverrideErrors(CertVerifier& certVerifier, // possible failure. // XXX TODO: convert to VerifySSLServerCert // XXX TODO: get rid of error log - certVerifier.VerifyCert(cert, stapledOCSPResponse, certificateUsageSSLServer, - now, infoObject, 0, nullptr, nullptr, verify_log); + certVerifier.VerifyCert(cert, certificateUsageSSLServer, + now, infoObject, infoObject->GetHostNameRaw(), + 0, stapledOCSPResponse, nullptr, nullptr, verify_log); // Check the name field against the desired hostname. if (CERT_VerifyCertName(cert, infoObject->GetHostNameRaw()) != SECSuccess) {