From 5513f3e56a45d4a227bfc7d01210fdded516458c Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Sat, 24 Dec 2011 15:52:35 +0100
Subject: Fix compatibility with old GnuTLS versions, but with a warning. See
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 for details.

---
 lib/ssl_gnutls.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib/ssl_gnutls.c')

diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index b4bc72d5..f5e0ad47 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -165,11 +165,15 @@ static int verify_certificate_callback( gnutls_session_t session )
 	if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
 		verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
 
+#ifdef GNUTLS_CERT_NOT_ACTIVATED
+	/* Amusingly, the GnuTLS function used above didn't check for expiry
+	   until GnuTLS 2.8 or so. (See CVE-2009-1417) */
 	if( status & GNUTLS_CERT_NOT_ACTIVATED )
 		verifyret |= VERIFY_CERT_NOT_ACTIVATED;
 
 	if( status & GNUTLS_CERT_EXPIRED )
 		verifyret |= VERIFY_CERT_EXPIRED;
+#endif
 
 	/* The following check is already performed inside 
 	 * gnutls_certificate_verify_peers2, so we don't need it.
-- 
cgit v1.2.3