+ if (gnutls_certificate_type_get (ctx->session) == GNUTLS_CRT_X509)
+ {
+ time_t now = time (NULL);
+ gnutls_x509_crt cert;
+ const gnutls_datum *cert_list;
+ unsigned int cert_list_size;
+
+ if ((err = gnutls_x509_crt_init (&cert)) < 0)
+ {
+ logprintf (LOG_NOTQUIET, _("Error initializing X509 certificate: %s\n"),
+ gnutls_strerror (err));
+ success = false;
+ goto out;
+ }
+
+ cert_list = gnutls_certificate_get_peers (ctx->session, &cert_list_size);
+ if (!cert_list)
+ {
+ logprintf (LOG_NOTQUIET, _("No certificate found\n"));
+ success = false;
+ goto out;
+ }
+ err = gnutls_x509_crt_import (cert, cert_list, GNUTLS_X509_FMT_DER);
+ if (err < 0)
+ {
+ logprintf (LOG_NOTQUIET, _("Error parsing certificate: %s\n"),
+ gnutls_strerror (err));
+ success = false;
+ goto out;
+ }
+ if (now < gnutls_x509_crt_get_activation_time (cert))
+ {
+ logprintf (LOG_NOTQUIET, _("The certificate has not yet been activated\n"));
+ success = false;
+ }
+ if (now >= gnutls_x509_crt_get_expiration_time (cert))
+ {
+ logprintf (LOG_NOTQUIET, _("The certificate has expired\n"));
+ success = false;
+ }
+ if (!gnutls_x509_crt_check_hostname (cert, host))
+ {
+ logprintf (LOG_NOTQUIET,
+ _("The certificate's owner does not match hostname %s\n"),
+ quote (host));
+ success = false;
+ }
+ gnutls_x509_crt_deinit (cert);
+ }
+
+ out: