1 files changed, 24 insertions, 6 deletions

diff --git a/lib/gtls.c b/lib/gtls.c
index f3ab78c3c..e8f5deb7a 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -135,10 +135,26 @@ Curl_gtls_connect(struct connectdata *conn,
     return CURLE_SSL_CONNECT_ERROR;
   }
 
-  /* set the trusted CA cert bundle file */
-  rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
-                                              data->set.ssl.CAfile,
-                                              GNUTLS_X509_FMT_PEM);
+  if(data->set.ssl.CAfile) {
+    /* set the trusted CA cert bundle file */
+
+    /*
+     * Unfortunately, if a file name is set here and this function fails for
+     * whatever reason (missing file, bad file, etc), gnutls will no longer
+     * handshake properly but it just loops forever. Therefore, we must return
+     * error here if we get an error when setting the CA cert file name.
+     *
+     * (Question/report posted to the help-gnutls mailing list, April 8 2005)
+     */
+    rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
+                                                data->set.ssl.CAfile,
+                                                GNUTLS_X509_FMT_PEM);
+    if(rc) {
+      failf(data, "error reading the ca cert file %s",
+            data->set.ssl.CAfile);
+      return CURLE_SSL_CACERT;
+    }
+  }
 
   /* Initialize TLS session as a client */
   rc = gnutls_init(&conn->ssl[sockindex].session, GNUTLS_CLIENT);
@@ -404,8 +420,10 @@ void Curl_gtls_close_all(struct SessionHandle *data)
 static void close_one(struct connectdata *conn,
                       int index)
 {
-  gnutls_bye(conn->ssl[index].session, GNUTLS_SHUT_RDWR);
-  gnutls_deinit(conn->ssl[index].session);
+  if(conn->ssl[index].session) {
+    gnutls_bye(conn->ssl[index].session, GNUTLS_SHUT_RDWR);
+    gnutls_deinit(conn->ssl[index].session);
+  }
   gnutls_certificate_free_credentials(conn->ssl[index].cred);
 }