From d6f73292fa5d5040981e6ecf354a7f638b81fc47 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 27 Oct 2012 17:46:53 +0900
Subject: [PATCH] gnutls: Added more status checking when verifying peer

---
 src/SocketCore.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/SocketCore.cc b/src/SocketCore.cc
index 8c8bba60..2ee26e46 100644
--- a/src/SocketCore.cc
+++ b/src/SocketCore.cc
@@ -1060,6 +1060,17 @@ bool SocketCore::tlsHandshake(TLSContext* tlsctx, const std::string& hostname)
         if(status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
           errors += " `issuer is not known'";
         }
+        // TODO should check GNUTLS_CERT_SIGNER_NOT_CA ?
+        if(status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+          errors += " `insecure algorithm'";
+        }
+        if(status & GNUTLS_CERT_NOT_ACTIVATED) {
+          errors += " `not activated yet'";
+        }
+        if(status & GNUTLS_CERT_EXPIRED) {
+          errors += " `expired'";
+        }
+        // TODO Add GNUTLS_CERT_SIGNATURE_FAILURE here
         if(!errors.empty()) {
           throw DL_ABORT_EX(fmt(MSG_CERT_VERIFICATION_FAILED, errors.c_str()));
         }