** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
+** libgnutls: Always tolerate key usage violation errors from the side
+of the peer, but also notify via an audit message.
+
** gnutls-cli: Added --local-dns option.
** danetool: Corrected bug that prevented loading PEM files.
safe_renegotiation_t sr;
unsigned int ssl3_record_version:1;
unsigned int server_precedence:1;
- unsigned int allow_key_usage_violation:1;
unsigned int allow_weak_keys:1;
/* Whether stateless compression will be used */
unsigned int stateless_compression:1;
#define ENABLE_COMPAT(x) \
(x)->no_padding = 1; \
(x)->allow_large_records = 1; \
- (x)->allow_key_usage_violation = 1; \
(x)->allow_weak_keys = 1
/* DH and RSA parameters types.
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- if (session->internals.priorities.allow_key_usage_violation == 0)
- return GNUTLS_E_KEY_USAGE_VIOLATION;
- else
- _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n");
+ _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
}
/* External signing. Deprecated. To be removed. */
if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
{
gnutls_assert ();
- if (session->internals.priorities.allow_key_usage_violation == 0)
- return GNUTLS_E_KEY_USAGE_VIOLATION;
- else
- _gnutls_audit_log(session, "Key usage violation was detected (ignored).\n");
+ _gnutls_audit_log(session, "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
}
if (pk_algo == GNUTLS_PK_UNKNOWN)