From faabc49797df43c4904b6230f83e8c6677e88b22 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 10 Sep 2020 09:13:59 +0200 Subject: dirmngr: Align the gnutls use of CAs with the ntbtls code. * dirmngr/http.c (http_session_new) : Use only the special pool certificate for the default keyserver. -- The gnutls version uses a different strategy than the ntbtls version on when to use the special SKS pool certificate. This patch aligns it so that we don't need to wonder about different kind of bug reports. In short the special cert is now the only cert use with the default keyserver. Signed-off-by: Werner Koch --- dirmngr/http-ntbtls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'dirmngr/http-ntbtls.c') diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index 924b8b25f..ae5cf5519 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -77,8 +77,10 @@ gnupg_http_tls_verify_cb (void *opaque, validate_flags = VALIDATE_FLAG_TLS; - /* If we are using the standard hkps:// pool use the dedicated - * root certificate. */ + /* If we are using the standard hkps:// pool use the dedicated root + * certificate. Note that this differes from the GnuTLS + * implementation which uses this special certificate only if no + * other certificates are configured. */ hostname = ntbtls_get_hostname (tls); if (hostname && !ascii_strcasecmp (hostname, get_default_keyserver (1))) -- cgit v1.2.3