Abort GnuTLS certificate check if a cert in the chain is rejected.

GnuTLS is not checking dates because we disabled that in tls_negotiate(). So if we don't do this, rejecting an expired intermediate cert will have no effect. Certstat won't contain an expiration error, and tls_check_preauth() will only look at each subsequent cert in the chain's dates.

Abort GnuTLS certificate check if a cert in the chain is rejected.
GnuTLS is not checking dates because we disabled that in tls_negotiate(). So if we don't do this, rejecting an expired intermediate cert will have no effect. Certstat won't contain an expiration error, and tls_check_preauth() will only look at each subsequent cert in the chain's dates.
5fccf603 · Kevin J. McCarthy · bb0e6277 · 5fccf603
Commit 5fccf603 authored Jun 05, 2020 by Kevin J. McCarthy
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -1219,8 +1219,12 @@ static int tls_check_certificate (CONNECTION* conn)
    rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
                                    i, cert_list_size);

+    /* Stop checking if the menu cert is aborted or rejected. */
+    if (!rc)
+      break;
+
    /* add signers to trust set, then reverify */
-    if (i && rc)
+    if (i)
    {
      rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred,
                                                          &cert_list[i],