5 files changed, 83 insertions, 3 deletions

diff --git a/cpp/src/Glacier/StarterI.cpp b/cpp/src/Glacier/StarterI.cpp
index 0dfdfee5229..cec7d940c45 100644
--- a/cpp/src/Glacier/StarterI.cpp
+++ b/cpp/src/Glacier/StarterI.cpp
@@ -46,6 +46,7 @@ Glacier::StarterI::StarterI(const CommunicatorPtr& communicator, const PasswordV
 	"Glacier.Starter.Certificate.BitStrength", 1024);
     Int secondsValid = _properties->getPropertyAsIntWithDefault(
 	"Glacier.Starter.Certificate.SecondsValid", IceSSL::OpenSSL::RSACertificateGenContext::daysToSeconds(1));
+    Int issuedAdjust = _properties->getPropertyAsIntWithDefault("Glacier.Starter.Certificate.IssuedAdjust", 0);
     
     _certContext.setCountry(country);
     _certContext.setStateProvince(stateProv);
@@ -55,6 +56,7 @@ Glacier::StarterI::StarterI(const CommunicatorPtr& communicator, const PasswordV
     _certContext.setCommonName(commonName);
     _certContext.setBitStrength(bitStrength);
     _certContext.setSecondsValid(secondsValid);
+    _certContext.setSecondsValid(issuedAdjust);
 }
 
 void
diff --git a/cpp/src/IceSSL/OpenSSLUtils.cpp b/cpp/src/IceSSL/OpenSSLUtils.cpp
index e5dd3646f47..2a230096eaf 100644
--- a/cpp/src/IceSSL/OpenSSLUtils.cpp
+++ b/cpp/src/IceSSL/OpenSSLUtils.cpp
@@ -409,6 +409,69 @@ IceSSL::OpenSSL::sslGetErrors()
     return errorMessage;
 }
 
+string
+IceSSL::OpenSSL::getVerificationError(int errorCode)
+{
+    static char* errorStrings[] =
+    {
+        "Unable to get issuer's certificate.",
+        "Unable to get certificate revocation list.",
+        "Unable to decrypt certificate signature.",
+        "Unable to decrypt certificate revocation list signature.",
+        "Unable to decode issuer's public key.",
+        "Certificate signature failure.",
+        "Certificate revocation list signature failure.",
+        "Certificate not yet valid.",
+        "Certificate has expired.",
+        "Certificate revocation list not yet valid.",
+        "Certificate revocation list has expired.",
+        "Error in certificate's \"not before\" field",
+        "Error in certificate's \"not after\" field",
+        "Error in the certificate revocation list's \"last update\" field",
+        "Error in the certificate revocation list's \"next update\" field",
+        "Out of memory failure.",
+        "Encountered a zero-depth self-signed certificate.",
+        "Encountered self-signed certificate in the certificate chain.",
+        "Unable to get issuer certificate locally.",
+        "Unable to verify leaf signature.",
+        "Certificate chain too long.",
+        "Certificate has been revoked.",
+        "Invalid certificate authority.",
+        "Certificate Authority path length exceeded.",
+        "Invalid certificate purpose.",
+        "Certificate is untrusted.",
+        "Certificate is rejected.",
+        "Subject and Issuer do not match.",
+        "AKID/SKID mismatch.",
+        "AKID and Issuer Serial mismatch.",
+        "Key usage precludes certifiicate signing.",
+        "Application verification."
+    };
+
+    string errString;
+
+    if(errorCode > X509_V_ERR_KEYUSAGE_NO_CERTSIGN)
+    {
+        if(errorCode == X509_V_ERR_APPLICATION_VERIFICATION)
+        {
+	    errString = "Application Verification error.";
+        }
+	else
+        {
+            ostringstream errStream;
+	    errStream << "Unknown error code: " << dec << errorCode << "."; 
+	    errString = errStream.str();
+        }
+    }
+    else
+    {
+        errorCode -= 2;
+	errString = errorStrings[errorCode];
+    }
+
+    return errString;
+}
+
 extern "C"
 {
 
diff --git a/cpp/src/IceSSL/OpenSSLUtils.h b/cpp/src/IceSSL/OpenSSLUtils.h
index 32d34354e69..87c6bd2a5cb 100644
--- a/cpp/src/IceSSL/OpenSSLUtils.h
+++ b/cpp/src/IceSSL/OpenSSLUtils.h
@@ -34,6 +34,8 @@ DH* getTempDH4096();
 
 std::string sslGetErrors();
 
+std::string getVerificationError(int);
+
 }
 
 }
diff --git a/cpp/src/IceSSL/RSACertificateGen.cpp b/cpp/src/IceSSL/RSACertificateGen.cpp
index 5a596b71e97..a0a21d33cad 100644
--- a/cpp/src/IceSSL/RSACertificateGen.cpp
+++ b/cpp/src/IceSSL/RSACertificateGen.cpp
@@ -56,7 +56,8 @@ IceSSL::OpenSSL::RSACertificateGenContext::yearsToSeconds(long years)
 
 IceSSL::OpenSSL::RSACertificateGenContext::RSACertificateGenContext() :
                                           _modulusLength(0),
-                                          _secondsValid(0)
+                                          _secondsValid(0),
+                                          _issuedAdjustment(0)
 {
 }
 
@@ -112,6 +113,12 @@ IceSSL::OpenSSL::RSACertificateGenContext::setSecondsValid(long secondsValid)
     _secondsValid = secondsValid;
 }
 
+void
+IceSSL::OpenSSL::RSACertificateGenContext::setIssuedAdjustment(long issuedAdjustment)
+{
+    _issuedAdjustment = issuedAdjustment;
+}
+
 unsigned char*
 IceSSL::OpenSSL::RSACertificateGenContext::getCountry() const
 {
@@ -184,6 +191,12 @@ IceSSL::OpenSSL::RSACertificateGenContext::getSecondsValid() const
     return _secondsValid;
 }
 
+long
+IceSSL::OpenSSL::RSACertificateGenContext::getIssuedAdjustment() const
+{
+    return _issuedAdjustment;
+}
+
 IceSSL::OpenSSL::RSACertificateGen::RSACertificateGen()
 {
     ERR_load_crypto_strings();
@@ -233,7 +246,7 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con
     struct X509_name_st* subjectName = X509_REQ_get_subject_name(signingRequest);
 
     // Set valid time period.
-    X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), 0);
+    X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), context.getIssuedAdjustment());
     X509_gmtime_adj(X509_get_notAfter(x509SelfSigned), context.getSecondsValid());
 
     // Set up subject/issuer Distinguished Name (DN).
diff --git a/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp b/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp
index 69c4161c08c..c2d82b52ff3 100644
--- a/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp
+++ b/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp
@@ -169,7 +169,7 @@ IceSSL::OpenSSL::ClientConnection::handshake(int timeout)
 	        {
                     CertificateVerificationException certVerEx(__FILE__, __LINE__);
 
-                    certVerEx._message = "ssl certificate verification error";
+                    certVerEx._message = getVerificationError(verifyError);
 
                     string errors = sslGetErrors();