gnutls-cli: added option to allow verification with broken algorithms

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 13 insertions, 0 deletions

diff --git a/src/cli-args.def b/src/cli-args.def
index f2e1ce1cc5..4642237c28 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -253,6 +253,12 @@ flag = {
 };
 
 flag = {
+    name      = verify-allow-broken;
+    descrip   = "Allow broken algorithms, such as MD5 for certificate verification";
+    doc = "";
+};
+
+flag = {
     name      = ranges;
     descrip   = "Use length-hiding padding to prevent traffic analysis";
     doc      = "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis.";
diff --git a/src/cli.c b/src/cli.c
index 7fb73d4f7e..28acc92218 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -78,6 +78,7 @@
 /* global stuff here */
 int resume, starttls, insecure, ranges, rehandshake, udp, mtu,
     inline_commands;
+unsigned int global_vflags = 0;
 char *hostname = NULL;
 char service[32]="";
 int record_max_size;
@@ -1454,6 +1455,10 @@ static void cmd_parser(int argc, char **argv)
 	insecure = HAVE_OPT(INSECURE);
 	ranges = HAVE_OPT(RANGES);
 
+	if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
+		global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+	}
+
 	udp = HAVE_OPT(UDP);
 	mtu = OPT_VALUE_MTU;
 
@@ -1706,6 +1711,8 @@ static void init_global_tls_stuff(void)
 	}
 	gnutls_certificate_set_pin_function(xcred, pin_callback, NULL);
 
+	gnutls_certificate_set_verify_flags(xcred, global_vflags);
+
 	if (x509_cafile != NULL) {
 		ret = gnutls_certificate_set_x509_trust_file(xcred,
 							     x509_cafile,