]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
gnutls-cli: if dane verification is used but not PKIX only check the end certificate.
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 13 May 2014 07:52:22 +0000 (09:52 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 13 May 2014 07:52:22 +0000 (09:52 +0200)
src/cli.c

index 140de65f9f177537d361bdc35d90ff56f5f3b2a7..ddf9a832ca7ab22d4dcc541df91a1be43c0d99c8 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -461,14 +461,20 @@ static int cert_verify_callback(gnutls_session_t session)
 #ifdef HAVE_DANE
        if (dane) {             /* try DANE auth */
                int port;
+               unsigned vflags = 0;
                unsigned int sflags =
                    ENABLED_OPT(LOCAL_DNS) ? 0 :
                    DANE_F_IGNORE_LOCAL_RESOLVER;
 
+               /* if we didn't verify the chain it only makes sense
+                * to check the end certificate using dane. */
+               if (ca_verify == 0)
+                       vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE;
+
                port = service_to_port(service);
                rc = dane_verify_session_crt(NULL, session, hostname,
                                             udp ? "udp" : "tcp", port,
-                                            sflags, 0, &status);
+                                            sflags, vflags, &status);
                if (rc < 0) {
                        fprintf(stderr,
                                "*** DANE verification error: %s\n",