Fix compatibility with old GnuTLS versions, but with a warning. See

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 for details.

2 files changed, 8 insertions, 0 deletions

diff --git a/configure b/configure
index 8fd61af5..2f1b5046 100755
--- a/configure
+++ b/configure
@@ -282,6 +282,10 @@ EFLAGS+=`$PKG_CONFIG --libs gnutls` `libgcrypt-config --libs`
 CFLAGS+=`$PKG_CONFIG --cflags gnutls` `libgcrypt-config --cflags`
 EOF
 		ssl=gnutls
+		if ! pkg-config gnutls --atleast-version=2.8; then
+			echo
+			echo 'Warning: With GnuTLS versions <2.8, certificate expire dates are not verified.'
+		fi
 		ret=1
 	elif libgnutls-config --version > /dev/null 2> /dev/null; then
 		cat <<EOF>>Makefile.settings
diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index b4bc72d5..f5e0ad47 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -165,11 +165,15 @@ static int verify_certificate_callback( gnutls_session_t session )
 	if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
 		verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
 
+#ifdef GNUTLS_CERT_NOT_ACTIVATED
+	/* Amusingly, the GnuTLS function used above didn't check for expiry
+	   until GnuTLS 2.8 or so. (See CVE-2009-1417) */
 	if( status & GNUTLS_CERT_NOT_ACTIVATED )
 		verifyret |= VERIFY_CERT_NOT_ACTIVATED;
 
 	if( status & GNUTLS_CERT_EXPIRED )
 		verifyret |= VERIFY_CERT_EXPIRED;
+#endif
 
 	/* The following check is already performed inside 
 	 * gnutls_certificate_verify_peers2, so we don't need it.