From 324b88d8dbd7e62134d2b7faa4c68fa910547da0 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Mon, 14 Aug 2017 11:54:13 +0100
Subject: [PATCH] Kill HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 configure.ac | 36 ------------------------------------
 gnutls.c     | 10 ++--------
 2 files changed, 2 insertions(+), 44 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7eed841a..8fec7905 100644
--- a/configure.ac
+++ b/configure.ac
@@ -450,42 +450,6 @@ case "$ssl_library" in
 	oldcflags="$CFLAGS"
 	LIBS="$LIBS $GNUTLS_LIBS"
 	CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
-	AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust,
-		      [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1, [From GnuTLS 3.0.20])], [])
-	if test "$ac_cv_func_gnutls_certificate_set_x509_system_trust" != "yes"; then
-	    # We will need to tell GnuTLS the path to the system CA file.
-	    if test "$with_system_cafile" = "yes" || test "$with_system_cafile" = ""; then
-		unset with_system_cafile
-		AC_MSG_CHECKING([For location of system CA trust file])
-		for file in /etc/ssl/certs/ca-certificates.crt \
-				/etc/pki/tls/cert.pem \
-				/usr/local/share/certs/ca-root-nss.crt \
-				/etc/ssl/cert.pem \
-				/etc/ssl/ca-bundle.pem \
-			    ; do
-		    if grep 'BEGIN CERTIFICATE-----' $file >/dev/null 2>&1; then
-			with_system_cafile=${file}
-			break
-		    fi
-		done
-		AC_MSG_RESULT([${with_system_cafile-NOT FOUND}])
-	    elif test "$with_system_cafile" = "no"; then
-		AC_MSG_ERROR([You cannot disable the system CA certificate file.])
-	    fi
-	    if test "$with_system_cafile" = ""; then
-		AC_MSG_ERROR([Unable to find a standard system CA certificate file.]
-			     [Your GnuTLS requires a path to a CA certificate store. This is a file]
-			     [which contains a list of the Certificate Authorities which are trusted.]
-			     [Most distributions ship with this file in a standard location, but none]
-			     [the known standard locations exist on your system. You should provide a]
-			     [--with-system-cafile= argument to this configure script, giving the full]
-			     [path to a default CA certificate file for GnuTLS to use. Also, please]
-			     [send full details of your system, including 'uname -a' output and the]
-			     [location of the system CA certificate store on your system, to the]
-			     [openconnect-devel@lists.infradead.org mailing list.])
-	    fi
-	    AC_DEFINE_UNQUOTED([DEFAULT_SYSTEM_CAFILE], ["$with_system_cafile"], [Location of System CA trust file])
-	fi
 	AC_CHECK_FUNC(gnutls_cipher_set_iv,
 		      [esp=yes], [])
 	AC_CHECK_FUNC(gnutls_pkcs12_simple_parse,
diff --git a/gnutls.c b/gnutls.c
index aeae229e..4f3c46e6 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2228,15 +2228,9 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 
 	if (!vpninfo->https_cred) {
 		gnutls_certificate_allocate_credentials(&vpninfo->https_cred);
-		if (!vpninfo->no_system_trust) {
-#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST
+		if (!vpninfo->no_system_trust)
 			gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
-#else
-			gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
-							       DEFAULT_SYSTEM_CAFILE,
-							       GNUTLS_X509_FMT_PEM);
-#endif
-		}
+
 		gnutls_certificate_set_verify_function(vpninfo->https_cred,
 						       verify_peer);