Fixed bug that prevented the rejection of v1 intermediate CA certificates.

author Nikos Mavrogiannopoulos <nmav@redhat.com>

Wed, 12 Feb 2014 15:41:33 +0000 (16:41 +0100)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Wed, 12 Feb 2014 15:41:33 +0000 (16:41 +0100)
author Nikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 12 Feb 2014 15:41:33 +0000 (16:41 +0100)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 12 Feb 2014 15:41:33 +0000 (16:41 +0100)
diff --git a/lib/x509/verify.c b/lib/x509/verify.c

index cb8289e36b7a9a1979d8705214b4b335ce2e79c7..86a901eced8c4b73cbe2b4fd830de7129b915257 100644 (file)
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -674,7 +674,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
         * certificates can exist in a supplied chain.
         */
        if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
-        flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+        {
+          flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+          flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+        }
        if ((ret =
             _gnutls_verify_certificate2 (certificate_list[i - 1],
                                          &certificate_list[i], 1, flags,
author	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Wed, 12 Feb 2014 15:41:33 +0000 (16:41 +0100)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Wed, 12 Feb 2014 15:41:33 +0000 (16:41 +0100)