diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-05-13 09:52:22 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-05-13 09:52:22 +0200 |
commit | 5e72831da990dbd075d836c3e3a4df9db1ff8fef (patch) | |
tree | 8ac7889d833a64e1bbe82805bb5405097313cbf0 /src/cli.c | |
parent | b81799169867783cfee2c7755ddb634f98c333d3 (diff) | |
download | gnutls-5e72831da990dbd075d836c3e3a4df9db1ff8fef.tar.gz |
gnutls-cli: if dane verification is used but not PKIX only check the end certificate.
Diffstat (limited to 'src/cli.c')
-rw-r--r-- | src/cli.c | 8 |
1 files changed, 7 insertions, 1 deletions
@@ -461,14 +461,20 @@ static int cert_verify_callback(gnutls_session_t session) #ifdef HAVE_DANE if (dane) { /* try DANE auth */ int port; + unsigned vflags = 0; unsigned int sflags = ENABLED_OPT(LOCAL_DNS) ? 0 : DANE_F_IGNORE_LOCAL_RESOLVER; + /* if we didn't verify the chain it only makes sense + * to check the end certificate using dane. */ + if (ca_verify == 0) + vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE; + port = service_to_port(service); rc = dane_verify_session_crt(NULL, session, hostname, udp ? "udp" : "tcp", port, - sflags, 0, &status); + sflags, vflags, &status); if (rc < 0) { fprintf(stderr, "*** DANE verification error: %s\n", |