Commit 5fccf603 authored by Kevin J. McCarthy's avatar Kevin J. McCarthy

Abort GnuTLS certificate check if a cert in the chain is rejected.

GnuTLS is not checking dates because we disabled that in
tls_negotiate().

So if we don't do this, rejecting an expired intermediate cert will
have no effect.  Certstat won't contain an expiration error, and
tls_check_preauth() will only look at each subsequent cert in the
chain's dates.
parent bb0e6277
......@@ -1219,8 +1219,12 @@ static int tls_check_certificate (CONNECTION* conn)
rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
i, cert_list_size);
/* Stop checking if the menu cert is aborted or rejected. */
if (!rc)
break;
/* add signers to trust set, then reverify */
if (i && rc)
if (i)
{
rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred,
&cert_list[i],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment