diff options
author | Nikos Mavrogiannopoulos <nmav@crystal.(none)> | 2008-12-05 20:53:14 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@crystal.(none)> | 2008-12-05 21:03:04 +0200 |
commit | 721d3089ff529189b4a313c9088d4e87e45d2d16 (patch) | |
tree | f2a076429ef9a1fcdb11bb698d2ccd884e206e8c | |
parent | f917e19b7680a4aec3b4ad41021cdcf38fef1d7a (diff) | |
download | gnutls-721d3089ff529189b4a313c9088d4e87e45d2d16.tar.gz |
reintroduced the self signed certificate removal code. This time shouldn't have the drawbacks that used to.
-rw-r--r-- | lib/x509/verify.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 92ef72244e..00e2422ce2 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -374,6 +374,24 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, int i = 0, ret; unsigned int status = 0, output; + if (clist_size > 1) + { + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + * + * This in addition prevents from verifying self signed certificates + * against themselves. This although not bad caused verification + * failures on some root self signed certificates that use the MD2 + * algorithm. + */ + if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) > 0) + { + clist_size--; + } + } + /* Verify the last certificate in the certificate path * against the trusted CA certificate list. * |