gnutls-cli: Don't permit V1 CAs by default.

author: Simon Josefsson <simon@josefsson.org> 2009-02-11 17:01:50 +0100
committer: Simon Josefsson <simon@josefsson.org> 2009-02-11 17:01:50 +0100
commit: 29c3b3e7acb542bd488ceb21b1c2e427d6af9a01 (patch)
tree: 30f61ac10edc82876e88cfc0e766c17f732c522a
parent: dea1a108b9bb09114a4d89bbc9961616b9b7cb39 (diff)
download: gnutls-29c3b3e7acb542bd488ceb21b1c2e427d6af9a01.tar.gz
2 files changed, 2 insertions, 5 deletions
diff --git a/NEWS b/NEWS
index d75d0beb10..2f9302449c 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ See the end for copying conditions.
 The tool now uses libgnutls' functions to print certificate
 information.  This avoids code duplication.
 
+** gnutls-cli: No longer accepts V1 CAs by default.
+
 ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
 
 ** libgnutls: gnutls_openpgp_crt_print supports oneline mode.
diff --git a/src/cli.c b/src/cli.c
index 2be219f52c..97f01a4595 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1075,11 +1075,6 @@ init_global_tls_stuff (void)
       exit (1);
     }
 
-  /* there are some CAs that have a v1 certificate *%&@#*%&
-   */
-  gnutls_certificate_set_verify_flags (xcred,
-				       GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
-
   if (x509_cafile != NULL)
     {
       ret =
author	Simon Josefsson <simon@josefsson.org>	2009-02-11 17:01:50 +0100
committer	Simon Josefsson <simon@josefsson.org>	2009-02-11 17:01:50 +0100
commit	29c3b3e7acb542bd488ceb21b1c2e427d6af9a01 (patch)
tree	30f61ac10edc82876e88cfc0e766c17f732c522a
parent	dea1a108b9bb09114a4d89bbc9961616b9b7cb39 (diff)
download	gnutls-29c3b3e7acb542bd488ceb21b1c2e427d6af9a01.tar.gz