From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 24 Aug 2005 07:40:13 +0000 (+0000)
Subject: Fixed CA cert verification using GnuTLS with the default bundle, which
X-Git-Tag: curl-7_14_1~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=432dfe2b8ff14dad451ec25f0bee09d454893324;p=thirdparty%2Fcurl.git

Fixed CA cert verification using GnuTLS with the default bundle, which
previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
---

diff --git a/CHANGES b/CHANGES
index 548fbc6a99..1df565976a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,10 @@
                                   Changelog
 
 
+Daniel (24 August 2005)
+- Fixed CA cert verification using GnuTLS with the default bundle, which
+  previously failed due to GnuTLS not allowing x509 v1 CA certs by default.     
+
 Daniel (19 August 2005)
 - Norbert Novotny had problems with FTPS and he helped me work out a patch
   that made curl run fine in his end. The key was to make sure we do the
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 7ff1fbb587..213e561c08 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -19,6 +19,7 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o CA cert verification with GnuTLS builds
  o handles expiry times in cookie files that go beyond 32 bits in size
  o several client problems with files, such as doing -d @file when the file
    isn't readable now gets a warning displayed
diff --git a/lib/gtls.c b/lib/gtls.c
index 7ca8a0f425..dbe3d1f77c 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -151,13 +151,18 @@ Curl_gtls_connect(struct connectdata *conn,
 
   if(data->set.ssl.CAfile) {
     /* set the trusted CA cert bundle file */
+    gnutls_certificate_set_verify_flags(conn->ssl[sockindex].cred,
+                                        GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+
     rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
                                                 data->set.ssl.CAfile,
                                                 GNUTLS_X509_FMT_PEM);
-    if(rc < 0) {
+    if(rc < 0)
       infof(data, "error reading ca cert file %s (%s)\n",
             data->set.ssl.CAfile, gnutls_strerror(rc));
-    }
+    else
+      infof(data, "found %d certificates in %s\n",
+            rc, data->set.ssl.CAfile);
   }
 
   /* Initialize TLS session as a client */