IsCertUptodate(): consider root certs created before 2017 up-to-date

Only leaves created before 2017 should be renewed (yet). This enables IsCertUptodate() for roots as expected.
2025-09-26 11:08:51 +02:00 · 2023-11-22 17:41:20 +01:00 · 2023-11-22 17:41:20 +01:00 · 398dcf588e
commit 398dcf588e
parent b43f1e7706
1 changed files with 3 additions and 1 deletions
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@ -771,7 +771,9 @@ bool IsCertUptodate(X509* cert)
 	time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
 	time_t renewalStart = now + RENEW_THRESHOLD;

-	return X509_cmp_time(X509_get_notBefore(cert), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert), &renewalStart) != -1;
+	return (X509_cmp_time(X509_get_notBefore(cert), &forceRenewalEnd) != -1
+		|| !X509_NAME_cmp(X509_get_subject_name(cert), X509_get_issuer_name(cert)))
+		&& X509_cmp_time(X509_get_notAfter(cert), &renewalStart) != -1;
 }

 String CertificateToString(const std::shared_ptr<X509>& cert)