Merge branch 'github_PR_164'

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
sailfishos-mirror · Mar 30, 2020 · 6f1240f · 6f1240f
2 parents 813b8bd + 6345f7b
commit 6f1240f
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/gnutls.c b/gnutls.c
@@ -56,6 +56,14 @@ static int gnutls_pin_callback(void *priv, int attempt, const char *uri,
 #define GNUTLS_E_PREMATURE_TERMINATION GNUTLS_E_UNEXPECTED_PACKET_LENGTH
 #endif
 
+/* GnuTLS 3.5.0 added this flag to send a client cert, even if its issuer is
+ * mismatched to the list of issuers requested by the server. OpenSSL does
+ * this by default.
+ * https://github.com/curl/curl/issues/1411
+ */
+#ifndef GNUTLS_FORCE_CLIENT_CERT
+#define GNUTLS_FORCE_CLIENT_CERT 0
+#endif
 
 /* Compile-time optimisable GnuTLS version check. We should never be
  * run against a version of GnuTLS which is *older* than the one we
@@ -2185,7 +2193,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 			}
 		}
 	}
-	gnutls_init(&vpninfo->https_sess, GNUTLS_CLIENT);
+	gnutls_init(&vpninfo->https_sess, GNUTLS_CLIENT|GNUTLS_FORCE_CLIENT_CERT);
 	gnutls_session_set_ptr(vpninfo->https_sess, (void *) vpninfo);
 	/*
 	 * For versions of GnuTLS older than 3.2.9, we try to avoid long