diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-12 16:41:33 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-02-16 14:11:37 +0100 |
commit | 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e (patch) | |
tree | 4c6ae14e700ac0b09b5af55930bfb07703fab7fc | |
parent | 5164d5a1d57cd0372a5dd074382ca960ca18b27d (diff) | |
download | gnutls-467478d8ff08a3cb4be3034ff04c9d08a0ceba3e.tar.gz |
Fixed bug that prevented the rejection of v1 intermediate CA certificates.
-rw-r--r-- | lib/x509/verify.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 2efcebfcbe..c9a6b0d24d 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -645,7 +645,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, * certificates can exist in a supplied chain. */ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) - flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + { + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; + } if ((ret = _gnutls_verify_certificate2 (certificate_list[i - 1], &certificate_list[i], 1, flags, |