--- gnutls-2.6.5/includes/gnutls/gnutls.h.in	
+++ gnutls-2.6.5/includes/gnutls/gnutls.h.in	
@@ -251,7 +251,13 @@ extern "C"
      */
     GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
     GNUTLS_CERT_SIGNER_NOT_CA = 128,
-    GNUTLS_CERT_INSECURE_ALGORITHM = 256
+    GNUTLS_CERT_INSECURE_ALGORITHM = 256,
+
+    /* Time verification.
+     */
+    GNUTLS_CERT_NOT_ACTIVATED = 512,
+    GNUTLS_CERT_EXPIRED = 1024
+
   } gnutls_certificate_status_t;
 
   typedef enum
--- gnutls-2.6.5/includes/gnutls/x509.h	
+++ gnutls-2.6.5/includes/gnutls/x509.h	
@@ -481,7 +481,13 @@ extern "C"
 
     /* Allow certificates to be signed using the broken MD5 algorithm.
      */
-    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+
+    /* Disable checking of activation and expiration validity
+     * periods of certificate chains. Don't set this unless you
+     * understand the security implications.
+     */
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
   } gnutls_certificate_verify_flags;
 
   int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
--- gnutls-2.6.5/lib/x509/verify.c	
+++ gnutls-2.6.5/lib/x509/verify.c	
@@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const g
     }
 #endif
 
+  /* Check activation/expiration times
+   */
+  if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
+    {
+      time_t t, now = time (0);
+
+      for (i = 0; i < clist_size; i++)
+	{
+	  t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
+	  if (t == (time_t) -1 || now < t)
+	    {
+	      status |= GNUTLS_CERT_NOT_ACTIVATED;
+	      status |= GNUTLS_CERT_INVALID;
+	      return status;
+	    }
+
+	  t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
+	  if (t == (time_t) -1 || now > t)
+	    {
+	      status |= GNUTLS_CERT_EXPIRED;
+	      status |= GNUTLS_CERT_INVALID;
+	      return status;
+	    }
+	}
+    }
+
   /* Verify the certificate path (chain)
    */
   for (i = clist_size - 1; i > 0; i--)
--- gnutls-2.6.5/src/common.c	
+++ gnutls-2.6.5/src/common.c	
@@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t sessio
     {
       if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
 	printf ("- Peer's certificate issuer is unknown\n");
+      if (status & GNUTLS_CERT_NOT_ACTIVATED)
+    printf ("- Peer's certificate chain uses not yet valid certificate\n");
+      if (status & GNUTLS_CERT_EXPIRED)
+    printf ("- Peer's certificate chain uses expired certificate\n");
       if (status & GNUTLS_CERT_INVALID)
 	printf ("- Peer's certificate is NOT trusted\n");
       else