34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e Mon Sep 17 00:00:00 2001
|
|
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
Date: Wed, 12 Feb 2014 16:41:33 +0100
|
|
Subject: [PATCH 1/5] Fixed bug that prevented the rejection of v1 intermediate
|
|
CA certificates.
|
|
|
|
Upstream-Status: Backport
|
|
|
|
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
|
|
|
|
---
|
|
lib/x509/verify.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
|
|
index 2efcebf..c9a6b0d 100644
|
|
--- a/lib/x509/verify.c
|
|
+++ b/lib/x509/verify.c
|
|
@@ -645,7 +645,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
|
|
* certificates can exist in a supplied chain.
|
|
*/
|
|
if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
|
|
- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
|
|
+ {
|
|
+ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
|
|
+ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
|
|
+ }
|
|
if ((ret =
|
|
_gnutls_verify_certificate2 (certificate_list[i - 1],
|
|
&certificate_list[i], 1, flags,
|
|
--
|
|
1.8.3.2
|
|
|