From 200e151edbbcbb164e7fe2a01a28a0c1c9108972 Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Fri, 23 Dec 2011 23:40:17 +0100
Subject: tls_verify correction: Don't fail cert verification in non-GnuTLS
 modules unless "cafile" setting is enabled.

---
 lib/ssl_openssl.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'lib/ssl_openssl.c')

diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c
index 955c8274..5c38d0e9 100644
--- a/lib/ssl_openssl.c
+++ b/lib/ssl_openssl.c
@@ -90,7 +90,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function
 	conn->func = func;
 	conn->data = data;
 	conn->inpa = -1;
-	conn->verify = verify;
+	conn->verify = verify && global.conf->cafile;
 	
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -118,12 +118,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	struct scd *conn = data;
 	SSL_METHOD *meth;
 	
-	/* Right now we don't have any verification functionality for openssl so we 
-	   fail in case verification has been requested by the user. */
+	/* Right now we don't have any verification functionality for OpenSSL. */
 
 	if( conn->verify )
 	{
-		conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond );
+		conn->func( conn->data, 1, NULL, cond );
 		if( source >= 0 ) closesocket( source );
 		g_free( conn );
 
-- 
cgit v1.2.3