reintroduced the self signed certificate removal code. This time shouldn't have the drawbacks that used to.

author: Nikos Mavrogiannopoulos <nmav@crystal.(none)> 2008-12-05 20:53:14 +0200
committer: Nikos Mavrogiannopoulos <nmav@crystal.(none)> 2008-12-05 21:03:04 +0200
commit: 721d3089ff529189b4a313c9088d4e87e45d2d16 (patch)
tree: f2a076429ef9a1fcdb11bb698d2ccd884e206e8c
parent: f917e19b7680a4aec3b4ad41021cdcf38fef1d7a (diff)
download: gnutls-721d3089ff529189b4a313c9088d4e87e45d2d16.tar.gz
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 92ef72244e..00e2422ce2 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -374,6 +374,24 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
   int i = 0, ret;
   unsigned int status = 0, output;
 
+  if (clist_size > 1) 
+    {
+      /* Check if the last certificate in the path is self signed.
+       * In that case ignore it (a certificate is trusted only if it
+       * leads to a trusted party by us, not the server's).
+       *
+       * This in addition prevents from verifying self signed certificates
+       * against themselves. This although not bad caused verification
+       * failures on some root self signed certificates that use the MD2
+       * algorithm.
+       */
+      if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+  				    certificate_list[clist_size - 1]) > 0)
+        {
+          clist_size--;
+        }
+    }
+
   /* Verify the last certificate in the certificate path
    * against the trusted CA certificate list.
    *
author	Nikos Mavrogiannopoulos <nmav@crystal.(none)>	2008-12-05 20:53:14 +0200
committer	Nikos Mavrogiannopoulos <nmav@crystal.(none)>	2008-12-05 21:03:04 +0200
commit	721d3089ff529189b4a313c9088d4e87e45d2d16 (patch)
tree	f2a076429ef9a1fcdb11bb698d2ccd884e206e8c
parent	f917e19b7680a4aec3b4ad41021cdcf38fef1d7a (diff)
download	gnutls-721d3089ff529189b4a313c9088d4e87e45d2d16.tar.gz