From ffb0c6816ba788dcf3b8aa6006bd9cf1b5773448 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu, 31 May 2012 20:14:36 +0100
Subject: [PATCH] GnuTLS: Load trusted CAs before loading certificate

We'll need them present when we load the certificate, because that's when
we search through them for supporting certs.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 gnutls.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/gnutls.c b/gnutls.c
index 72ff5c1..65e3627 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1036,6 +1036,19 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 							verify_peer);
 		/* FIXME: Ensure TLSv1.0, no options */
 
+		if (vpninfo->cafile) {
+			err = gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
+								     vpninfo->cafile,
+								     GNUTLS_X509_FMT_PEM);
+			if (err < 0) {
+				vpn_progress(vpninfo, PRG_ERR,
+					     _("Failed to open CA file '%s': %s\n"),
+					     vpninfo->cafile, gnutls_strerror(err));
+				close(ssl_sock);
+				return -EINVAL;
+			}
+		}
+
 		if (vpninfo->cert) {
 			err = load_certificate(vpninfo);
 			if (err) {
@@ -1054,18 +1067,6 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 		   I don't know of _any_ workaround which will, and can't
 		   be bothered to find out either. */
 
-		if (vpninfo->cafile) {
-			err = gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
-								     vpninfo->cafile,
-								     GNUTLS_X509_FMT_PEM);
-			if (err < 0) {
-				vpn_progress(vpninfo, PRG_ERR,
-					     _("Failed to open CA file '%s': %s\n"),
-					     vpninfo->cafile, gnutls_strerror(err));
-				close(ssl_sock);
-				return -EINVAL;
-			}
-		}
 
 	}
 	gnutls_init (&vpninfo->https_sess, GNUTLS_CLIENT);
-- 
2.7.4