my($date1,$date2,$date3,$expired) = ($1,$2,$3,$4);
$expired = '' if !defined $expired;
- # Round the time-difference up to nearest even value
- my($increment) = ((date_seconds($date3) - date_seconds($date2) + 1) >> 1) << 1;
+ # Round the time-difference down to nearest even value
+ my($increment) = ((date_seconds($date3) - date_seconds($date2)) >> 1) << 1;
# We used to use globally unique replacement values, but timing
# differences make this impossible. Just show the increment on the
# TLS preload
# only OpenSSL speaks of these
- next if /^TLS: preloading DH params for server/;
+ next if /^TLS: preloading (DH params|ECDH curve|CA bundle) for server/;
next if /^Diffie-Hellman initialized from default/;
- next if /^TLS: preloading ECDH curve for server/;
next if /^ECDH OpenSSL [< ]?[\d.+]+ temp key parameter settings:/;
next if /^ECDH: .'*prime256v1'/;
- next if /^watch dir/;
+ next if /^tls_verify_certificates: system$/;
+ next if /^tls_set_watch: .*\/cert.pem/;
# TLS preload
# only GnuTLS speaks of these
s/^GnuTLS using default session cipher\/priority "NORMAL"$/TLS: not preloading cipher list for server/;
next if /^GnuTLS<2>: added \d+ protocols, \d+ ciphersuites, \d+ sig algos and \d+ groups into priority list$/;
+ # only kevent platforms (FreeBSD, OpenBSD) say this
+ next if /^watch dir/;
+ next if /^watch file .*\/usr\/local/;
+ next if /^watch file .*\/etc\/ssl/;
+
# TLS preload
# there happen in different orders for OpenSSL/GnuTLS/noTLS
next if /^TLS: not preloading (CA bundle|cipher list) for server$/;