Fixed CA cert verification using GnuTLS with the default bundle, which

previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
author: Daniel Stenberg <daniel@haxx.se> 2005-08-24 07:40:13 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2005-08-24 07:40:13 +0000
commit: 432dfe2b8ff14dad451ec25f0bee09d454893324 (patch)
tree: 2f918c8f0c965670df612c28b85721802505e717 /lib/gtls.c
parent: a142372750384d74a5ec4d013458a9c757ca15f6 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/gtls.c b/lib/gtls.c
index 7ca8a0f42..dbe3d1f77 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -151,13 +151,18 @@ Curl_gtls_connect(struct connectdata *conn,
 
   if(data->set.ssl.CAfile) {
     /* set the trusted CA cert bundle file */
+    gnutls_certificate_set_verify_flags(conn->ssl[sockindex].cred,
+                                        GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+
     rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
                                                 data->set.ssl.CAfile,
                                                 GNUTLS_X509_FMT_PEM);
-    if(rc < 0) {
+    if(rc < 0)
       infof(data, "error reading ca cert file %s (%s)\n",
             data->set.ssl.CAfile, gnutls_strerror(rc));
-    }
+    else
+      infof(data, "found %d certificates in %s\n",
+            rc, data->set.ssl.CAfile);
   }
 
   /* Initialize TLS session as a client */
author	Daniel Stenberg <daniel@haxx.se>	2005-08-24 07:40:13 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2005-08-24 07:40:13 +0000
commit	432dfe2b8ff14dad451ec25f0bee09d454893324 (patch)
tree	2f918c8f0c965670df612c28b85721802505e717 /lib/gtls.c
parent	a142372750384d74a5ec4d013458a9c757ca15f6 (diff)