* Corrected a bug in certificate verification. Pointed out by

  Yoann Vandoorselaere <yoann@prelude-ids.org>
* Added the GNUTLS_VERIFY_DO_NOT_ALLOW_SAME flags to the
  verification functions.

1 files changed, 5 insertions, 1 deletions

diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h
index 8a061bc2da..5a4e059870 100644
--- a/includes/gnutls/x509.h
+++ b/includes/gnutls/x509.h
@@ -284,10 +284,14 @@ typedef enum gnutls_certificate_verify_flags {
     GNUTLS_VERIFY_DISABLE_CA_SIGN=1, /* if set a signer does not have to be
                                       * a certificate authority.
                                       */
-    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2 /* Allow CA certificates that have version 1.
+    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT=2,/* Allow CA certificates that have version 1.
 	                                  * This might be dangerous since those haven't
 	                                  * the basicConstraints extension.
 					  */
+    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME=4 /* If a certificate is not signed by anyone
+                                       * trusted but exists in the trusted ca list
+                                       * do not treat it as trusted.
+                                       */
 } gnutls_certificate_verify_flags;
 
 int gnutls_x509_crt_check_issuer( gnutls_x509_crt_t cert,