diff options
| author | Adnan Maolood <[email protected]> | 2020-11-05 22:30:13 -0500 |
|---|---|---|
| committer | Adnan Maolood <[email protected]> | 2020-11-05 22:30:13 -0500 |
| commit | ff6c95930be666378dee89fe3377d14912dc55c3 (patch) | |
| tree | 667ae907e5c79a68aefe82c080e5cdc84a6e2b54 /client.go | |
| parent | Don't check if certificate is expired (diff) | |
| download | archived-go-gemini-0.1.7.tar.xz archived-go-gemini-0.1.7.zip | |
Fix TOFUv0.1.7
Diffstat (limited to 'client.go')
| -rw-r--r-- | client.go | 34 |
1 files changed, 17 insertions, 17 deletions
@@ -213,27 +213,27 @@ func (c *Client) verifyConnection(req *Request, cs tls.ConnectionState) error { if c.InsecureSkipTrust { return nil } + // Check the known hosts - // No need to check if it is expired as tls already does that knownHost, ok := c.KnownHosts.Lookup(hostname) - if ok { - fingerprint := NewFingerprint(cert) - if knownHost.Hex != fingerprint.Hex { - return errors.New("gemini: fingerprint does not match") + if !ok || time.Now().Unix() >= knownHost.Expires { + // See if the client trusts the certificate + if c.TrustCertificate != nil { + switch c.TrustCertificate(hostname, cert) { + case TrustOnce: + c.KnownHosts.AddTemporary(hostname, cert) + return nil + case TrustAlways: + c.KnownHosts.Add(hostname, cert) + return nil + } } - return nil + return errors.New("gemini: certificate not trusted") } - // See if the client trusts the certificate - if c.TrustCertificate != nil { - switch c.TrustCertificate(hostname, cert) { - case TrustOnce: - c.KnownHosts.AddTemporary(hostname, cert) - return nil - case TrustAlways: - c.KnownHosts.Add(hostname, cert) - return nil - } + fingerprint := NewFingerprint(cert) + if knownHost.Hex == fingerprint.Hex { + return nil } - return errors.New("gemini: certificate not trusted") + return errors.New("gemini: fingerprint does not match") } |