From: David Woodhouse <David.Woodhouse@intel.com>
Date: Fri, 1 Jun 2012 12:07:20 +0000 (+0100)
Subject: GnuTLS: Don't include root CA in the supporting evidence; only intermediates
X-Git-Tag: v3.99~89
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e8e99faf3798acc23bef6b47d84f1b92b89a736e;p=platform%2Fupstream%2Fopenconnect.git

GnuTLS: Don't include root CA in the supporting evidence; only intermediates

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---

diff --git a/gnutls.c b/gnutls.c
index 84d13db..f1661a3 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -649,8 +649,14 @@ static int load_certificate(struct openconnect_info *vpninfo)
 			break;
 		}
 
-		if (issuer == last_cert)
+		if (issuer == last_cert) {
+			/* Don't actually include the root CA. If they don't already trust it,
+			   then handing it to them isn't going to help. But don't omit the
+			   original certificate if it's self-signed. */
+			if (nr_supporting_certs > 1)
+				nr_supporting_certs--;
 			break;
+		}
 
 		/* OK, we found a new cert to add to our chain. */
 		supporting_certs = realloc(supporting_certs,