39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
|
From 5fccf603ebcf352ba783136d6b2d2600d811fb3b Mon Sep 17 00:00:00 2001
|
||
|
|
From: Kevin McCarthy <kevin@8t8.us>
|
||
|
|
Date: Fri, 5 Jun 2020 18:16:31 -0700
|
||
|
|
Subject: [PATCH] Abort GnuTLS certificate check if a cert in the chain is
|
||
|
|
rejected.
|
||
|
|
|
||
|
|
GnuTLS is not checking dates because we disabled that in
|
||
|
|
tls_negotiate().
|
||
|
|
|
||
|
|
So if we don't do this, rejecting an expired intermediate cert will
|
||
|
|
have no effect. Certstat won't contain an expiration error, and
|
||
|
|
tls_check_preauth() will only look at each subsequent cert in the
|
||
|
|
chain's dates.
|
||
|
|
---
|
||
|
|
mutt_ssl_gnutls.c | 6 +++++-
|
||
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
|
||
|
|
index 19d47b3..6f98f50 100644
|
||
|
|
--- a/mutt_ssl_gnutls.c
|
||
|
|
+++ b/mutt_ssl_gnutls.c
|
||
|
|
@@ -1199,8 +1199,12 @@ static int tls_check_certificate (CONNECTION* conn)
|
||
|
|
rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
|
||
|
|
i, cert_list_size);
|
||
|
|
|
||
|
|
+ /* Stop checking if the menu cert is aborted or rejected. */
|
||
|
|
+ if (!rc)
|
||
|
|
+ break;
|
||
|
|
+
|
||
|
|
/* add signers to trust set, then reverify */
|
||
|
|
- if (i && rc) {
|
||
|
|
+ if (i) {
|
||
|
|
rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred,
|
||
|
|
&cert_list[i],
|
||
|
|
GNUTLS_X509_FMT_DER);
|
||
|
|
--
|
||
|
|
2.27.0
|
||
|
|
|