5 files changed, 40 insertions, 24 deletions

diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 83a7386f..64e4e2f0 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -301,15 +301,6 @@ unsigned long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *);
 
 /*  methods */
 
-/* SSLv2 support is compiled out of some versions of OpenSSL.  These will
- * get special support when we generate the bindings so that if they are
- * available they will be wrapped, but if they are not they won't cause
- * problems (like link errors).
- */
-const SSL_METHOD *SSLv2_method(void);
-const SSL_METHOD *SSLv2_server_method(void);
-const SSL_METHOD *SSLv2_client_method(void);
-
 /*
  * TLSv1_1 and TLSv1_2 are recent additions.  Only sufficiently new versions of
  * OpenSSL support them.
@@ -441,14 +432,12 @@ const long SSL_OP_LEGACY_SERVER_CONNECT = 0;
 #else
 static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1;
 #endif
-#ifdef OPENSSL_NO_SSL2
+
+/* Cryptography now compiles out all SSLv2 bindings. This exists to allow
+ * clients that use it to check for SSLv2 support to keep functioning as
+ * expected.
+ */
 static const long Cryptography_HAS_SSL2 = 0;
-SSL_METHOD* (*SSLv2_method)(void) = NULL;
-SSL_METHOD* (*SSLv2_client_method)(void) = NULL;
-SSL_METHOD* (*SSLv2_server_method)(void) = NULL;
-#else
-static const long Cryptography_HAS_SSL2 = 1;
-#endif
 
 #ifdef OPENSSL_NO_SSL3_METHOD
 static const long Cryptography_HAS_SSL3_METHOD = 0;
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 8d9e5e0e..768559cf 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1372,7 +1372,7 @@ class Backend(object):
 
         # Set the subject's name.
         res = self._lib.X509_set_subject_name(
-            x509_cert, _encode_name(self, list(builder._subject_name))
+            x509_cert, _encode_name_gc(self, list(builder._subject_name))
         )
         self.openssl_assert(res == 1)
 
@@ -1423,7 +1423,7 @@ class Backend(object):
 
         # Set the issuer name.
         res = self._lib.X509_set_issuer_name(
-            x509_cert, _encode_name(self, list(builder._issuer_name))
+            x509_cert, _encode_name_gc(self, list(builder._issuer_name))
         )
         self.openssl_assert(res == 1)
 
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index dad37436..206c2915 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -276,12 +276,6 @@ CONDITIONAL_NAMES = {
         "TLSv1_2_client_method",
     ],
 
-    "Cryptography_HAS_SSL2": [
-        "SSLv2_method",
-        "SSLv2_client_method",
-        "SSLv2_server_method",
-    ],
-
     "Cryptography_HAS_SSL3_METHOD": [
         "SSLv3_method",
         "SSLv3_client_method",
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index c56ca5ee..49761046 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -436,6 +436,11 @@ class CertificateBuilder(object):
         if time <= _UNIX_EPOCH:
             raise ValueError('The not valid before date must be after the unix'
                              ' epoch (1970 January 1).')
+        if self._not_valid_after is not None and time > self._not_valid_after:
+            raise ValueError(
+                'The not valid before date must be before the not valid after '
+                'date.'
+            )
         return CertificateBuilder(
             self._issuer_name, self._subject_name,
             self._public_key, self._serial_number, time,
@@ -453,6 +458,12 @@ class CertificateBuilder(object):
         if time <= _UNIX_EPOCH:
             raise ValueError('The not valid after date must be after the unix'
                              ' epoch (1970 January 1).')
+        if (self._not_valid_before is not None and
+                time < self._not_valid_before):
+            raise ValueError(
+                'The not valid after date must be after the not valid before '
+                'date.'
+            )
         return CertificateBuilder(
             self._issuer_name, self._subject_name,
             self._public_key, self._serial_number, self._not_valid_before,
diff --git a/tests/test_x509.py b/tests/test_x509.py
index ccdff7c4..67066f04 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1437,6 +1437,28 @@ class TestCertificateBuilder(object):
         with pytest.raises(ValueError):
             builder.subject_name(name)
 
+    def test_not_valid_before_after_not_valid_after(self):
+        builder = x509.CertificateBuilder()
+
+        builder = builder.not_valid_after(
+            datetime.datetime(2002, 1, 1, 12, 1)
+        )
+        with pytest.raises(ValueError):
+            builder.not_valid_before(
+                datetime.datetime(2003, 1, 1, 12, 1)
+            )
+
+    def test_not_valid_after_before_not_valid_before(self):
+        builder = x509.CertificateBuilder()
+
+        builder = builder.not_valid_before(
+            datetime.datetime(2002, 1, 1, 12, 1)
+        )
+        with pytest.raises(ValueError):
+            builder.not_valid_after(
+                datetime.datetime(2001, 1, 1, 12, 1)
+            )
+
     @pytest.mark.requires_backend_interface(interface=RSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_public_key_must_be_public_key(self, backend):