Mercurial > hg > freeDiameter
changeset 1184:8c340f832127
Remove auto-use of the certificate as CA when CA was not provided, since now TLS_cred can be ignored when TLS is not used.
| author | Sebastien Decugis <sdecugis@freediameter.net> |
|---|---|
| date | Thu, 06 Jun 2013 19:05:36 +0800 |
| parents | 42d3fd71e7ea |
| children | 23695957bfc0 |
| files | libfdcore/config.c |
| diffstat | 1 files changed, 1 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/libfdcore/config.c Thu Jun 06 15:49:38 2013 +0800 +++ b/libfdcore/config.c Thu Jun 06 19:05:36 2013 +0800 @@ -278,20 +278,6 @@ } } - /* If the CA is not provided, let's use the same file (assuming self-signed certificate) */ - if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.ca_file)) { - CHECK_MALLOC( fd_g_config->cnf_sec_data.ca_file = strdup(fd_g_config->cnf_sec_data.cert_file) ); - CHECK_GNUTLS_DO( fd_g_config->cnf_sec_data.ca_file_nr += gnutls_certificate_set_x509_trust_file( - fd_g_config->cnf_sec_data.credentials, - fd_g_config->cnf_sec_data.ca_file, - GNUTLS_X509_FMT_PEM), - { - TRACE_ERROR("Unable to use the local certificate as trusted security anchor (CA), please provide a valid TLS_CA='...' directive."); - return EINVAL; - } ); - } - - /* Resolve hostname if not provided */ if (fd_g_config->cnf_diamid == NULL) { char buf[HOST_NAME_MAX + 1]; @@ -452,7 +438,7 @@ { fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) - TRACE_ERROR(" - The certificate hasn't got a known issuer."); + TRACE_ERROR(" - The certificate hasn't got a known issuer. Did you forget to specify TLS_CA ?"); if (output & GNUTLS_CERT_SIGNER_NOT_CA) TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); if (output & GNUTLS_CERT_NOT_ACTIVATED)