From: Nikos Mavrogiannopoulos Date: Tue, 13 May 2014 07:52:22 +0000 (+0200) Subject: gnutls-cli: if dane verification is used but not PKIX only check the end certificate. X-Git-Tag: gnutls_3_3_3~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5e72831da990dbd075d836c3e3a4df9db1ff8fef;p=thirdparty%2Fgnutls.git gnutls-cli: if dane verification is used but not PKIX only check the end certificate. --- diff --git a/src/cli.c b/src/cli.c index 140de65f9f..ddf9a832ca 100644 --- a/src/cli.c +++ b/src/cli.c @@ -461,14 +461,20 @@ static int cert_verify_callback(gnutls_session_t session) #ifdef HAVE_DANE if (dane) { /* try DANE auth */ int port; + unsigned vflags = 0; unsigned int sflags = ENABLED_OPT(LOCAL_DNS) ? 0 : DANE_F_IGNORE_LOCAL_RESOLVER; + /* if we didn't verify the chain it only makes sense + * to check the end certificate using dane. */ + if (ca_verify == 0) + vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE; + port = service_to_port(service); rc = dane_verify_session_crt(NULL, session, hostname, udp ? "udp" : "tcp", port, - sflags, 0, &status); + sflags, vflags, &status); if (rc < 0) { fprintf(stderr, "*** DANE verification error: %s\n",