From 200e151edbbcbb164e7fe2a01a28a0c1c9108972 Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Fri, 23 Dec 2011 23:40:17 +0100
Subject: tls_verify correction: Don't fail cert verification in non-GnuTLS
 modules unless "cafile" setting is enabled.

---
 lib/ssl_nss.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'lib/ssl_nss.c')

diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c
index 5b573f9b..d50620d5 100644
--- a/lib/ssl_nss.c
+++ b/lib/ssl_nss.c
@@ -139,7 +139,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function
 	conn->fd = fd;
 	conn->func = func;
 	conn->data = data;
-	conn->verify = verify;
+	conn->verify = verify && global.conf->cafile;
 
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -159,12 +159,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 {
 	struct scd *conn = data;
 	
-	/* Right now we don't have any verification functionality for nss so we 
-	   fail in case verification has been requested by the user. */
+	/* Right now we don't have any verification functionality for NSS. */
 
 	if( conn->verify )
 	{
-		conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
+		conn->func( conn->data, 1, NULL, cond );
 		if( source >= 0 ) closesocket( source );
 		g_free( conn );
 
-- 
cgit v1.2.3