aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xconfigure4
-rw-r--r--lib/ssl_gnutls.c4
2 files changed, 8 insertions, 0 deletions
diff --git a/configure b/configure
index 8fd61af5..2f1b5046 100755
--- a/configure
+++ b/configure
@@ -282,6 +282,10 @@ EFLAGS+=`$PKG_CONFIG --libs gnutls` `libgcrypt-config --libs`
CFLAGS+=`$PKG_CONFIG --cflags gnutls` `libgcrypt-config --cflags`
EOF
ssl=gnutls
+ if ! pkg-config gnutls --atleast-version=2.8; then
+ echo
+ echo 'Warning: With GnuTLS versions <2.8, certificate expire dates are not verified.'
+ fi
ret=1
elif libgnutls-config --version > /dev/null 2> /dev/null; then
cat <<EOF>>Makefile.settings
diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index b4bc72d5..f5e0ad47 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -165,11 +165,15 @@ static int verify_certificate_callback( gnutls_session_t session )
if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
+#ifdef GNUTLS_CERT_NOT_ACTIVATED
+ /* Amusingly, the GnuTLS function used above didn't check for expiry
+ until GnuTLS 2.8 or so. (See CVE-2009-1417) */
if( status & GNUTLS_CERT_NOT_ACTIVATED )
verifyret |= VERIFY_CERT_NOT_ACTIVATED;
if( status & GNUTLS_CERT_EXPIRED )
verifyret |= VERIFY_CERT_EXPIRED;
+#endif
/* The following check is already performed inside
* gnutls_certificate_verify_peers2, so we don't need it.
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-27 21:13:10 +0000