diff options
author | Nikos Mavrogiannopoulos <nmav@crystal.(none)> | 2008-12-05 20:53:14 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@crystal.(none)> | 2008-12-05 20:53:14 +0200 |
commit | 04b05185944229a5e03f97513abbd6e900630ab1 (patch) | |
tree | 3a9dde8377020e023e65219d73abaaae65ef4422 | |
parent | c75014b0776eff5c907d028d2fcd945ff73fc63e (diff) | |
download | gnutls-04b05185944229a5e03f97513abbd6e900630ab1.tar.gz |
reintroduced the self signed certificate removal code. This time shouldn't have the drawbacks that used to.
-rw-r--r-- | lib/x509/verify.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 92ef72244e..00e2422ce2 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -374,6 +374,24 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, int i = 0, ret; unsigned int status = 0, output; + if (clist_size > 1) + { + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + * + * This in addition prevents from verifying self signed certificates + * against themselves. This although not bad caused verification + * failures on some root self signed certificates that use the MD2 + * algorithm. + */ + if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) > 0) + { + clist_size--; + } + } + /* Verify the last certificate in the certificate path * against the trusted CA certificate list. * |