From 9c6b102ee0a687985fa0f1ed834aacef3064b1a4 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 25 Apr 2018 11:38:22 +0200
Subject: [PATCH] openssl: Fail CRL validity check if thisUpdate is in the
 future

---
 src/libstrongswan/plugins/openssl/openssl_crl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 88f7a67c20..bb5f20dcff 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -358,7 +358,7 @@ METHOD(certificate_t, get_validity, bool,
 	{
 		*not_after = this->nextUpdate;
 	}
-	return t <= this->nextUpdate;
+	return (t >= this->thisUpdate && t <= this->nextUpdate);
 }
 
 METHOD(certificate_t, get_encoding, bool,