Fix GnuTLS interactive prompt short-circuiting.
tls_verify_peers() doesn't verify expiration dates. So aborting early because of a 0 certstat and the leaf passing tls_check_preauth() does not mean subsequent intermediate certs are okay: they could be expired. In the saved-cert preauth loop, instead of just noting the tls_check_preauth() rc for the leaf, note the highest cert that passes preauth. Then, in the interactive loop (which goes in the opposite order, from CA to leaf) check that value instead. Since we are trusting certs one by one, anything that passed in the previous loop will certainly pass the preauth check at the beginning of tls_check_one_certificate().
Showing with 6 additions and 11 deletions