From d424d2ef710b4f45c06bfad79089bd998d5a35f9 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sun, 26 Oct 2025 15:12:17 +0000 Subject: Fix allowing expired client certificates in some cases. This fixes a regression from v3. --- src/modules/m_sslinfo.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index 4a1f73f74..bebd08155 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -373,7 +373,7 @@ public: whois.SendLine(RPL_WHOISSECURE, "is using a secure connection"); ssl_cert* cert = cmd.sslapi.GetCertificate(whois.GetTarget()); - if (cert) + if (!cert || !cert->IsUsable()) { if (!cmd.operonlyfp || whois.IsSelfWhois() || whois.GetSource()->IsOper()) { @@ -415,7 +415,7 @@ public: } const std::string fingerprint = oper->GetConfig()->getString("fingerprint"); - if (!fingerprint.empty() && (!cert || !MatchFingerprint(cert, fingerprint))) + if (!fingerprint.empty() && (!cert || !cert->IsUsable() || !MatchFingerprint(cert, fingerprint))) { if (!automatic) { -- cgit v1.3.1-10-gc9f91