From 7d7803a4d9a21d95a005294f4eaca326bc076138 Mon Sep 17 00:00:00 2001
From: Aldo Cortesi <aldo@nullcube.com>
Date: Sat, 11 Jun 2011 15:16:16 +1200
Subject: Add a hideous kludge to fix not-yet-valid certificates.

- The OpenSSL x509 has no way to explicitly set the notBefore value on
certificates.

- If two systems have the same configured time, it's possible to return a
certificate before the validity start time has arrived.

- We "solve" this by waiting for one second when a certificate is first
generated before returning the cert. The alternative is to rewrite pretty much
all of our certificate generation, a thought too horrible to contemplate.
---
 libmproxy/utils.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libmproxy/utils.py')

diff --git a/libmproxy/utils.py b/libmproxy/utils.py
index 699cb863..209ec27a 100644
--- a/libmproxy/utils.py
+++ b/libmproxy/utils.py
@@ -14,6 +14,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import re, os, subprocess, datetime, textwrap, errno, sys, time, functools
 
+CERT_SLEEP_TIME = 1
 
 def timestamp():
     """
@@ -485,6 +486,7 @@ def dummy_cert(certdir, ca, commonname):
             stdin=subprocess.PIPE
         )
         if ret: return None
+    time.sleep(CERT_SLEEP_TIME)
     return certpath
 
 
-- 
cgit v1.2.3