Use gnutls_certificate_set_x509_system_trust() where available

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/configure.ac b/configure.ac
index 682db8e..ed464b6 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -199,6 +199,8 @@ if test "$with_gnutls" = "yes" || test "$with_gnutls" = "shibboleet"; then
     ssl_library=gnutls
     oldlibs="$LIBS"
     LIBS="$LIBS $GNUTLS_LIBS"
+    AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust,
+                [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1)], [])
     AC_CHECK_FUNC(gnutls_pkcs12_simple_parse,
                 [AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], [])
     AC_CHECK_FUNC(gnutls_session_set_premaster,

diff --git a/gnutls.c b/gnutls.c
index 519f6e9..67a5dea 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -941,9 +941,13 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 
        if (!vpninfo->https_cred) {
                gnutls_certificate_allocate_credentials(&vpninfo->https_cred);
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST
+               gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
+#else
                gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
                                                       "/etc/pki/tls/certs/ca-bundle.crt",
                                                       GNUTLS_X509_FMT_PEM);
+#endif
                gnutls_certificate_set_verify_function (vpninfo->https_cred,
                                                        verify_peer);
                /* FIXME: Ensure TLSv1.0, no options */