From faabc49797df43c4904b6230f83e8c6677e88b22 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 10 Sep 2020 09:13:59 +0200
Subject: dirmngr: Align the gnutls use of CAs with the ntbtls code.

* dirmngr/http.c (http_session_new) <gnutls>: Use only the special
pool certificate for the default keyserver.
--

The gnutls version uses a different strategy than the ntbtls version
on when to use the special SKS pool certificate.  This patch aligns it
so that we don't need to wonder about different kind of bug reports.
In short the special cert is now the only cert use with the default
keyserver.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/certcache.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'dirmngr/certcache.c')

diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 5486997b6..87f605eab 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -721,6 +721,9 @@ cert_cache_init (strlist_t hkp_cacerts)
     load_certs_from_dir (fname, 0);
   xfree (fname);
 
+  /* Put the special pool certificate into our store.  This is
+   * currently only used with ntbtls.  For GnuTLS http_session_new
+   * unfortunately loads that certificate directly from the file.  */
   fname = make_filename_try (gnupg_datadir (),
                              "sks-keyservers.netCA.pem", NULL);
   if (fname)
-- 
cgit v1.2.3