From e8ac17e17c831ed44174a22c1cb2a8dc39fcb976 Mon Sep 17 00:00:00 2001
From: Jan Vcelak <jvcelak@redhat.com>
Date: Wed, 20 Jul 2011 18:55:33 +0200
Subject: [PATCH] ITS#6998 MozNSS: when cert not required, ignore issuer
 expiration

When server certificate is not required in a TLS session (e.g.
TLS_REQCERT is set to 'never'), ignore expired issuer certificate error
and do not terminate the connection.
---
 libraries/libldap/tls_m.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 32af7ec7c0..7ae7d8216c 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -671,6 +671,7 @@ tlsm_bad_cert_handler(void *arg, PRFileDesc *ssl)
 	case SEC_ERROR_UNTRUSTED_ISSUER:
 	case SEC_ERROR_UNKNOWN_ISSUER:
 	case SEC_ERROR_EXPIRED_CERTIFICATE:
+	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 		if (ctx->tc_verify_cert) {
 			success = SECFailure;
 		}
-- 
2.39.5