diff options
author | Martin von Gagern <Martin.vGagern@gmx.net> | 2008-11-03 13:35:13 +0100 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2008-11-06 08:49:08 +0100 |
commit | df9291523eed14ef9285975597c714d6f095e05f (patch) | |
tree | ef366d2629401d2f1c702931132620fddf22910e | |
parent | 7787803e2a05cb8ead0deb1438356fb691a53703 (diff) | |
download | gnutls-df9291523eed14ef9285975597c714d6f095e05f.tar.gz |
Drop self signed certificate from certificate chain before validating certificates. This avoids the penultimate certificate to get incorrectly trusted.
Signed-off-by: Simon Josefsson <simon@josefsson.org>
-rw-r--r-- | lib/x509/verify.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 041a450ebd..8fa90dc505 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -374,6 +374,17 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, int i = 0, ret; unsigned int status = 0, output; + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + */ + if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) > 0 + && clist_size > 0) + { + clist_size--; + } + /* Verify the last certificate in the certificate path * against the trusted CA certificate list. * @@ -412,17 +423,6 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, } #endif - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - */ - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], - certificate_list[clist_size - 1]) > 0 - && clist_size > 0) - { - clist_size--; - } - /* Verify the certificate path (chain) */ for (i = clist_size - 1; i > 0; i--) |