tls_verify correction: Don't fail cert verification in non-GnuTLS modules

unless "cafile" setting is enabled.
author: Wilmer van der Gaast <wilmer@gaast.net> 2011-12-23 23:40:17 +0100
committer: Wilmer van der Gaast <wilmer@gaast.net> 2011-12-23 23:40:17 +0100
commit: 200e151edbbcbb164e7fe2a01a28a0c1c9108972 (patch)
tree: ba51f16352b0fab2911aae8298642a153aec82f6 /lib/ssl_nss.c
parent: 792a93b417c24a206d8995ca8bf51482f20e997e (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c
index 5b573f9b..d50620d5 100644
--- a/lib/ssl_nss.c
+++ b/lib/ssl_nss.c
@@ -139,7 +139,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function
 	conn->fd = fd;
 	conn->func = func;
 	conn->data = data;
-	conn->verify = verify;
+	conn->verify = verify && global.conf->cafile;
 
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -159,12 +159,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 {
 	struct scd *conn = data;
 	
-	/* Right now we don't have any verification functionality for nss so we 
-	   fail in case verification has been requested by the user. */
+	/* Right now we don't have any verification functionality for NSS. */
 
 	if( conn->verify )
 	{
-		conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
+		conn->func( conn->data, 1, NULL, cond );
 		if( source >= 0 ) closesocket( source );
 		g_free( conn );
author	Wilmer van der Gaast <wilmer@gaast.net>	2011-12-23 23:40:17 +0100
committer	Wilmer van der Gaast <wilmer@gaast.net>	2011-12-23 23:40:17 +0100
commit	200e151edbbcbb164e7fe2a01a28a0c1c9108972 (patch)
tree	ba51f16352b0fab2911aae8298642a153aec82f6 /lib/ssl_nss.c
parent	792a93b417c24a206d8995ca8bf51482f20e997e (diff)