From 6c7d6ae27283e2a54b97198baedfe9c26b812b46 Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Mon, 4 Oct 2010 11:13:22 +0200 Subject: Don't ignore the CA certificate if it's the only one in the chain This avoids auth-client crashes for servers which provide only a self-signed CA as TLS certificate on connect (#631095). --- libempathy/empathy-tls-verifier.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'libempathy/empathy-tls-verifier.c') diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 517ae9e5b..13727db17 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -260,10 +260,13 @@ real_start_verification (EmpathyTLSVerifier *self) /* if the last certificate is self-signed, and we have a list of * trusted CAs, ignore it, as we want to check the chain against our * trusted CAs list first. + * if we have only one certificate in the chain, don't ignore it though, + * as it's the CA certificate itself. */ last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1); - if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0) + if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0 && + num_certs > 1) num_certs--; } -- cgit v1.2.3