From f09e479fd62e62f7f81f6219c02b14c96cff6120 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 9 Apr 2005 22:33:14 +0000 Subject: Blah, revert my removal of the extra check since the problem is there for real. Archived thread of the help-gnutls mailing list regarding this problem: http://lists.gnu.org/archive/html/help-gnutls/2005-04/msg00000.html (and I _am_ sorry for my confused behaviour on this problem.) --- lib/gtls.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/lib/gtls.c b/lib/gtls.c index a87c3a03b..bc7cd27e3 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -149,13 +149,25 @@ Curl_gtls_connect(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } - /* set the trusted CA cert bundle file */ - rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred, - data->set.ssl.CAfile, - GNUTLS_X509_FMT_PEM); - if(rc) { - infof(data, "error reading the ca cert file %s", - data->set.ssl.CAfile); + if(data->set.ssl.CAfile) { + /* set the trusted CA cert bundle file */ + + /* + * Unfortunately, if a file name is set here and this function fails for + * whatever reason (missing file, bad file, etc), gnutls will no longer + * handshake properly but it just loops forever. Therefore, we must return + * error here if we get an error when setting the CA cert file name. + * + * (Question/report posted to the help-gnutls mailing list, April 8 2005) + */ + rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred, + data->set.ssl.CAfile, + GNUTLS_X509_FMT_PEM); + if(rc) { + failf(data, "error reading the ca cert file %s", + data->set.ssl.CAfile); + return CURLE_SSL_CACERT; + } } /* Initialize TLS session as a client */ -- cgit v1.2.3