Commit 5fccf603 authored by Kevin J. McCarthy's avatar Kevin J. McCarthy
Browse files

Abort GnuTLS certificate check if a cert in the chain is rejected.

GnuTLS is not checking dates because we disabled that in

So if we don't do this, rejecting an expired intermediate cert will
have no effect.  Certstat won't contain an expiration error, and
tls_check_preauth() will only look at each subsequent cert in the
chain's dates.
parent bb0e6277
......@@ -1219,8 +1219,12 @@ static int tls_check_certificate (CONNECTION* conn)
rc = tls_check_one_certificate (&cert_list[i], certstat, conn->,
i, cert_list_size);
/* Stop checking if the menu cert is aborted or rejected. */
if (!rc)
/* add signers to trust set, then reverify */
if (i && rc)
if (i)
rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred,
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment