TLSClient: do certification verification with old gnutls

The automatic verification for the server certificate with gnutls_certificate_set_verify_function does only work with gnutls >=2.9.10. So with older versions we should call the verify function manually after the gnutls handshake. Signed-off-by: Paul Beckingham <paul@beckingham.net>
2025-06-26 10:54:26 +02:00 · 2014-03-17 18:50:52 +01:00 · 2014-03-17 18:50:52 +01:00 · 88b94ac2fc
commit 88b94ac2fc
parent 5774c31dfd
3 changed files with 17 additions and 0 deletions
--- a/src/TLSClient.cpp
+++ b/src/TLSClient.cpp
@ -183,6 +183,10 @@ void TLSClient::init (
    throw std::string ("Missing CERT file.");

 #if GNUTLS_VERSION_NUMBER >= 0x02090a
+  // The automatic verification for the server certificate with
+  // gnutls_certificate_set_verify_function only works with gnutls
+  // >=2.9.10. So with older versions we should call the verify function
+  // manually after the gnutls handshake.
  gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
 #endif
  gnutls_init (&_session, GNUTLS_CLIENT);
@ -267,6 +271,16 @@ void TLSClient::connect (const std::string& host, const std::string& port)
  if (ret < 0)
    throw format (STRING_CMD_SYNC_HANDSHAKE, gnutls_strerror (ret));

+#if GNUTLS_VERSION_NUMBER < 0x02090a
+  // The automatic verification for the server certificate with
+  // gnutls_certificate_set_verify_function does only work with gnutls
+  // >=2.9.10. So with older versions we should call the verify function
+  // manually after the gnutls handshake.
+  ret = verify_certificate_callback(_session);
+  if (ret < 0)
+    throw std::string (STRING_TLS_INIT_FAIL);
+#endif
+
  if (_debug)
  {
 #if GNUTLS_VERSION_NUMBER >= 0x03010a