Fixed bug that prevented the rejection of v1 intermediate CA certificates.

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-02-12 16:41:33 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-02-12 16:41:33 +0100
commit: 494bb8249d37a345c3566b44e52cfda00b60c8f5 (patch)
tree: 4bc1cba432f3540ccbadc1d4f2b2deb65afe7147
parent: 6d3e17ede017d1c7cbf7575c6223a40ce78cf364 (diff)
download: gnutls-494bb8249d37a345c3566b44e52cfda00b60c8f5.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index cb8289e36b..86a901eced 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -674,7 +674,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
        * certificates can exist in a supplied chain.
        */
       if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
-        flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+        {
+          flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+          flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+        }
       if ((ret =
            _gnutls_verify_certificate2 (certificate_list[i - 1],
                                         &certificate_list[i], 1, flags,
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-02-12 16:41:33 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-02-12 16:41:33 +0100
commit	494bb8249d37a345c3566b44e52cfda00b60c8f5 (patch)
tree	4bc1cba432f3540ccbadc1d4f2b2deb65afe7147
parent	6d3e17ede017d1c7cbf7575c6223a40ce78cf364 (diff)
download	gnutls-494bb8249d37a345c3566b44e52cfda00b60c8f5.tar.gz