# HG changeset patch
# User William Ehlhardt <williamehlhardt@gmail.com>
# Date 1187045385 0
# Node ID 0e17da726a8c97983e8365b949fc529e2a507c5d
# Parent  5cde8ad062045afd0b85616432b625c429251a34
- x509_signed_by now accepts a signature by an X.509 version 1
  certificate. Verisign (the signer of all MSN's certificates) and
  possibly others have root certificates that predate the current
  standards, and we can't reasonably reject Verisign certs.

diff -r 5cde8ad06204 -r 0e17da726a8c libpurple/plugins/ssl/ssl-gnutls.c
--- a/libpurple/plugins/ssl/ssl-gnutls.c	Mon Aug 13 22:44:23 2007 +0000
+++ b/libpurple/plugins/ssl/ssl-gnutls.c	Mon Aug 13 22:49:45 2007 +0000
@@ -697,7 +697,13 @@
 	/* Now, check the signature */
 	/* The second argument is a ptr to an array of "trusted" issuer certs,
 	   but we're only using one trusted one */
-	ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1, 0, &verify);
+	ret = gnutls_x509_crt_verify(crt_dat, &issuer_dat, 1,
+				     /* Permit signings by X.509v1 certs
+					(Verisign and possibly others have
+					root certificates that predate the
+					current standard) */
+				     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+				     &verify);
 	
 	if (ret != 0) {
 		purple_debug_error("gnutls/x509",