Don't ignore the CA certificate if it's the only one in the chain

This avoids auth-client crashes for servers which provide only a self-signed CA as TLS certificate on connect (#631095).
author: Cosimo Cecchi <cosimoc@gnome.org> 2010-10-04 09:13:22 (GMT)
committer: Cosimo Cecchi <cosimoc@gnome.org> 2010-10-04 09:22:47 (GMT)
commit: 6c7d6ae27283e2a54b97198baedfe9c26b812b46 (patch)
tree: 2753434c52abb745f248cb25b1bc69f880d0f757
parent: f060ca8527d66c601d624394f4d46c037c713f34 (diff)
download: empathy-6c7d6ae27283e2a54b97198baedfe9c26b812b46.zip
empathy-6c7d6ae27283e2a54b97198baedfe9c26b812b46.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
index 517ae9e..13727db 100644
--- a/libempathy/empathy-tls-verifier.c
+++ b/libempathy/empathy-tls-verifier.c
@@ -260,10 +260,13 @@ real_start_verification (EmpathyTLSVerifier *self)
       /* if the last certificate is self-signed, and we have a list of
        * trusted CAs, ignore it, as we want to check the chain against our
        * trusted CAs list first.
+       * if we have only one certificate in the chain, don't ignore it though,
+       * as it's the CA certificate itself.
        */
       last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1);
 
-      if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0)
+      if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0 &&
+          num_certs > 1)
         num_certs--;
     }
author	Cosimo Cecchi <cosimoc@gnome.org>	2010-10-04 09:13:22 (GMT)
committer	Cosimo Cecchi <cosimoc@gnome.org>	2010-10-04 09:22:47 (GMT)
commit	6c7d6ae27283e2a54b97198baedfe9c26b812b46 (patch)
tree	2753434c52abb745f248cb25b1bc69f880d0f757
parent	f060ca8527d66c601d624394f4d46c037c713f34 (diff)
download	empathy-6c7d6ae27283e2a54b97198baedfe9c26b812b46.zip empathy-6c7d6ae27283e2a54b97198baedfe9c26b812b46.tar.xz