From f09e479fd62e62f7f81f6219c02b14c96cff6120 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 9 Apr 2005 22:33:14 +0000
Subject: [PATCH] Blah, revert my removal of the extra check since the problem
 is there for real.

Archived thread of the help-gnutls mailing list regarding this problem:

http://lists.gnu.org/archive/html/help-gnutls/2005-04/msg00000.html

(and I _am_ sorry for my confused behaviour on this problem.)
---
 lib/gtls.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/lib/gtls.c b/lib/gtls.c
index a87c3a03b3..bc7cd27e3f 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -149,13 +149,25 @@ Curl_gtls_connect(struct connectdata *conn,
     return CURLE_SSL_CONNECT_ERROR;
   }
 
-  /* set the trusted CA cert bundle file */
-  rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
-                                              data->set.ssl.CAfile,
-                                              GNUTLS_X509_FMT_PEM);
-  if(rc) {
-    infof(data, "error reading the ca cert file %s",
-          data->set.ssl.CAfile);
+  if(data->set.ssl.CAfile) {
+    /* set the trusted CA cert bundle file */
+
+    /*
+     * Unfortunately, if a file name is set here and this function fails for
+     * whatever reason (missing file, bad file, etc), gnutls will no longer
+     * handshake properly but it just loops forever. Therefore, we must return
+     * error here if we get an error when setting the CA cert file name.
+     *
+     * (Question/report posted to the help-gnutls mailing list, April 8 2005)
+     */
+    rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
+                                                data->set.ssl.CAfile,
+                                                GNUTLS_X509_FMT_PEM);
+    if(rc) {
+      failf(data, "error reading the ca cert file %s",
+            data->set.ssl.CAfile);
+      return CURLE_SSL_CACERT;
+    }
   }
 
   /* Initialize TLS session as a client */
-- 
GitLab