gnutls-cli: do not ask any questions with --strict-tofu

Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>

2 files changed, 12 insertions, 8 deletions

diff --git a/src/cli-args.def b/src/cli-args.def
index 9a067ce78b..8ad9a98ed3 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -25,10 +25,11 @@ process.";
 
 flag = {
     name      = strict-tofu;
-    descrip   = "Fail to connect if a known certificate has changed";
+    descrip   = "Fail to connect if a certificate is unknown or a known certificate has changed";
     disabled;
     disable   = "no";
-    doc       = "This option will perform authentication as with option --tofu; however, while --tofu asks whether to trust a changed public key, this option will fail in case of public key changes.";
+    doc       = "This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one.";
+
 };
 
 flag = {
diff --git a/src/cli.c b/src/cli.c
index 06e1da8af9..e1d9c7aa67 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -448,6 +448,9 @@ static int cert_verify_callback(gnutls_session_t session)
 					"Its certificate is valid for %s.\n",
 					hostname);
 
+			if (strictssh)
+				return -1;
+
 			rc = read_yesno
 			    ("Are you sure you want to trust it? (y/N): ");
 			if (rc == 0)
@@ -463,13 +466,13 @@ static int cert_verify_callback(gnutls_session_t session)
 					"Its certificate is valid for %s.\n",
 					hostname);
 
-			if (strictssh == 0) {
-				rc = read_yesno
-					("Do you trust the received key? (y/N): ");
-				if (rc == 0)
-					return -1;
-			} else return -1;
+			if (strictssh)
+				return -1;
 
+			rc = read_yesno
+				("Do you trust the received key? (y/N): ");
+			if (rc == 0)
+				return -1;
 		} else if (rc < 0) {
 			fprintf(stderr,
 				"gnutls_verify_stored_pubkey: %s\n",