Fix compatibility with old GnuTLS versions, but with a warning. See

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 for details.
author: Wilmer van der Gaast <wilmer@gaast.net> 2011-12-24 15:52:35 +0100
committer: Wilmer van der Gaast <wilmer@gaast.net> 2011-12-24 15:52:35 +0100
commit: 5513f3e56a45d4a227bfc7d01210fdded516458c (patch)
tree: f6198fa99ed85373870cb9a3e8dde452f8670ef0 /lib/ssl_gnutls.c
parent: 200e151edbbcbb164e7fe2a01a28a0c1c9108972 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index b4bc72d5..f5e0ad47 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -165,11 +165,15 @@ static int verify_certificate_callback( gnutls_session_t session )
 	if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
 		verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
 
+#ifdef GNUTLS_CERT_NOT_ACTIVATED
+	/* Amusingly, the GnuTLS function used above didn't check for expiry
+	   until GnuTLS 2.8 or so. (See CVE-2009-1417) */
 	if( status & GNUTLS_CERT_NOT_ACTIVATED )
 		verifyret |= VERIFY_CERT_NOT_ACTIVATED;
 
 	if( status & GNUTLS_CERT_EXPIRED )
 		verifyret |= VERIFY_CERT_EXPIRED;
+#endif
 
 	/* The following check is already performed inside 
 	 * gnutls_certificate_verify_peers2, so we don't need it.
author	Wilmer van der Gaast <wilmer@gaast.net>	2011-12-24 15:52:35 +0100
committer	Wilmer van der Gaast <wilmer@gaast.net>	2011-12-24 15:52:35 +0100
commit	5513f3e56a45d4a227bfc7d01210fdded516458c (patch)
tree	f6198fa99ed85373870cb9a3e8dde452f8670ef0 /lib/ssl_gnutls.c
parent	200e151edbbcbb164e7fe2a01a28a0c1c9108972 (diff)