On my system, checking moment against cert_response['this_update'].native when treating an OCSP response fails here. The reason for this is that moment is a datetime object with nanoseconds (on my Linux system), and cert_response['this_update'].native is a datetime object with seconds precision.
I've fixed this for myself by subtracting a timedelta(seconds = 1) from moment in the comparison (and adding one second to moment in the next comparison here), which is fine for my purposes, but might not be a good solution in general.
I suspect that a bigger 'slop' is required to deal with some (small) time skew between client and OCSP server. I'd default it to 10 seconds, but allow an arbitrary value to be used.
On my system, checking
moment
againstcert_response['this_update'].native
when treating an OCSP response fails here. The reason for this is thatmoment
is adatetime
object with nanoseconds (on my Linux system), andcert_response['this_update'].native
is adatetime
object with seconds precision. I've fixed this for myself by subtracting atimedelta(seconds = 1)
frommoment
in the comparison (and adding one second tomoment
in the next comparison here), which is fine for my purposes, but might not be a good solution in general.