From 139502583e065520e1c7a31e73c6e68969153d70 Mon Sep 17 00:00:00 2001 From: Patrick Ohly Date: Thu, 23 Jul 2009 16:03:34 +0200 Subject: [PATCH] Allow version 1 CA certificates in clients This is done by setting the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag while setting up the credentials and parsing the CA certificate file. This is necessary because without it, some releases of gnutls reject certificates that are currently in use by major sites, including Google. Setting the flag is safe in libsoup because the file is meant to contain only CA certificates. The main weakness around version 1 certs is that personal certificates could be mistaken for CA certs, which shouldn't happen if libsoup is used as intended. Servers don't have the possibility to verify their clients, so this problem doesn't apply to them. http://bugzilla.gnome.org/show_bug.cgi?id=589323 --- libsoup/soup-gnutls.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/libsoup/soup-gnutls.c b/libsoup/soup-gnutls.c index 46b4188..b4f0876 100644 --- a/libsoup/soup-gnutls.c +++ b/libsoup/soup-gnutls.c @@ -529,6 +529,10 @@ soup_ssl_get_client_credentials (const char *ca_file) creds = g_slice_new0 (SoupSSLCredentials); gnutls_certificate_allocate_credentials (&creds->creds); + /* http://bugzilla.gnome.org/show_bug.cgi?id=589323 */ + gnutls_certificate_set_verify_flags (creds->creds, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + if (ca_file) { creds->have_ca_file = TRUE; status = gnutls_certificate_set_x509_trust_file ( -- 1.6.3.3