wbond
OCSP timestamp validation fails due to different date precisions
On my system, checking moment against cert_response['this_update'].native when treating an OCSP response fails here. The reason for this is that moment is a datetime object with nanoseconds (on my Linux system), and cert_response['this_update'].native is a datetime object with seconds precision.
I've fixed this for myself by subtracting a timedelta(seconds = 1) from moment in the comparison (and adding one second to moment in the next comparison here), which is fine for my purposes, but might not be a good solution in general.
I suspect that a bigger 'slop' is required to deal with some (small) time skew between client and OCSP server. I'd default it to 10 seconds, but allow an arbitrary value to be used.
