# HG changeset patch # User Sebastien Decugis # Date 1370516736 -28800 # Node ID 8c340f8321274711e3f1fd13129f646685879e01 # Parent 42d3fd71e7ea577f3996bcfb9f8087edcbf0da14 Remove auto-use of the certificate as CA when CA was not provided, since now TLS_cred can be ignored when TLS is not used. diff -r 42d3fd71e7ea -r 8c340f832127 libfdcore/config.c --- a/libfdcore/config.c Thu Jun 06 15:49:38 2013 +0800 +++ b/libfdcore/config.c Thu Jun 06 19:05:36 2013 +0800 @@ -278,20 +278,6 @@ } } - /* If the CA is not provided, let's use the same file (assuming self-signed certificate) */ - if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.ca_file)) { - CHECK_MALLOC( fd_g_config->cnf_sec_data.ca_file = strdup(fd_g_config->cnf_sec_data.cert_file) ); - CHECK_GNUTLS_DO( fd_g_config->cnf_sec_data.ca_file_nr += gnutls_certificate_set_x509_trust_file( - fd_g_config->cnf_sec_data.credentials, - fd_g_config->cnf_sec_data.ca_file, - GNUTLS_X509_FMT_PEM), - { - TRACE_ERROR("Unable to use the local certificate as trusted security anchor (CA), please provide a valid TLS_CA='...' directive."); - return EINVAL; - } ); - } - - /* Resolve hostname if not provided */ if (fd_g_config->cnf_diamid == NULL) { char buf[HOST_NAME_MAX + 1]; @@ -452,7 +438,7 @@ { fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) - TRACE_ERROR(" - The certificate hasn't got a known issuer."); + TRACE_ERROR(" - The certificate hasn't got a known issuer. Did you forget to specify TLS_CA ?"); if (output & GNUTLS_CERT_SIGNER_NOT_CA) TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); if (output & GNUTLS_CERT_NOT_ACTIVATED)