gnutls-cli: added option to allow verification with broken algorithms

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/src/cli-args.def b/src/cli-args.def
index f2e1ce1cc5a6058ab62a5b59c3138aff1f029670..4642237c281f45567b76423d1727ad4b0f3b4c06 100644 (file)
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -252,6 +252,12 @@ flag = {
     doc      = "";
 };
 
+flag = {
+    name      = verify-allow-broken;
+    descrip   = "Allow broken algorithms, such as MD5 for certificate verification";
+    doc = "";
+};
+
 flag = {
     name      = ranges;
     descrip   = "Use length-hiding padding to prevent traffic analysis";

diff --git a/src/cli.c b/src/cli.c
index 7fb73d4f7ec2d36ea12346822c859b2010e7b683..28acc9221833f1be1ff433ab0de7532629a379a9 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -78,6 +78,7 @@
 /* global stuff here */
 int resume, starttls, insecure, ranges, rehandshake, udp, mtu,
     inline_commands;
+unsigned int global_vflags = 0;
 char *hostname = NULL;
 char service[32]="";
 int record_max_size;
@@ -1454,6 +1455,10 @@ static void cmd_parser(int argc, char **argv)
        insecure = HAVE_OPT(INSECURE);
        ranges = HAVE_OPT(RANGES);
 
+       if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
+               global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+       }
+
        udp = HAVE_OPT(UDP);
        mtu = OPT_VALUE_MTU;
 
@@ -1706,6 +1711,8 @@ static void init_global_tls_stuff(void)
        }
        gnutls_certificate_set_pin_function(xcred, pin_callback, NULL);
 
+       gnutls_certificate_set_verify_flags(xcred, global_vflags);
+
        if (x509_cafile != NULL) {
                ret = gnutls_certificate_set_x509_trust_file(xcred,
                                                             x509_cafile,