From: Howard Chu <hyc@openldap.org>
Date: Thu, 5 Mar 2009 04:35:49 +0000 (+0000)
Subject: ITS#5992 trust X509v1 CA certs
X-Git-Tag: ACLCHECK_0~758
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=54ed3779d66d3903c53f67607fc68d773c95222f;p=openldap

ITS#5992 trust X509v1 CA certs
---

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 57731673b3..759c9b7621 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -349,6 +349,13 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		if ( rc < 0 ) return -1;
 		rc = 0;
 	}
+
+	/* FIXME: ITS#5992 - this should go be configurable,
+	 * and V1 CA certs should be phased out ASAP.
+	 */
+	gnutls_certificate_set_verify_flags( ctx->cred,
+		GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
+
 	if ( is_server ) {
 		gnutls_dh_params_init(&ctx->dh_params);
 		gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);