From 5fccf603ebcf352ba783136d6b2d2600d811fb3b Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Fri, 5 Jun 2020 18:16:31 -0700
Subject: [PATCH] Abort GnuTLS certificate check if a cert in the chain is
 rejected.

GnuTLS is not checking dates because we disabled that in
tls_negotiate().

So if we don't do this, rejecting an expired intermediate cert will
have no effect.  Certstat won't contain an expiration error, and
tls_check_preauth() will only look at each subsequent cert in the
chain's dates.
---
 mutt_ssl_gnutls.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 19d47b3..6f98f50 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -1199,8 +1199,12 @@ static int tls_check_certificate (CONNECTION* conn)
     rc = tls_check_one_certificate (&cert_list[i], certstat, conn->account.host,
                                     i, cert_list_size);
 
+    /* Stop checking if the menu cert is aborted or rejected. */
+    if (!rc)
+      break;
+
     /* add signers to trust set, then reverify */
-    if (i && rc) {
+    if (i) {
       rcsettrust = gnutls_certificate_set_x509_trust_mem (data->xcred,
 		      					  &cert_list[i],
 							  GNUTLS_X509_FMT_DER);
-- 
2.27.0