]> git.sur5r.net Git - openldap/commitdiff
projects / openldap / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 91c359e)
ITS#5992 trust X509v1 CA certs
authorHoward Chu <hyc@openldap.org>
Thu, 5 Mar 2009 04:35:49 +0000 (04:35 +0000)
committerHoward Chu <hyc@openldap.org>
Thu, 5 Mar 2009 04:35:49 +0000 (04:35 +0000)
libraries/libldap/tls_g.c patch | blob | history

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 57731673b3dc7815280dd7a124694fcc33077b89..759c9b7621fb59f49957a741b32d3df875133d24 100644 (file)
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -349,6 +349,13 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                if ( rc < 0 ) return -1;
                rc = 0;
        }
+
+       /* FIXME: ITS#5992 - this should go be configurable,
+        * and V1 CA certs should be phased out ASAP.
+        */
+       gnutls_certificate_set_verify_flags( ctx->cred,
+               GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+
        if ( is_server ) {
                gnutls_dh_params_init(&ctx->dh_params);
                gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
Cloned from git://git.openldap.org/openldap.git