X-Git-Url: http://sjero.net/git/?a=blobdiff_plain;f=src%2Fgnutls.c;h=54422fcf4930d62b954f93f8334cabffa8affdc6;hb=ae80fd2ec75fafdbec9895b9d973f2966209d588;hp=32c6d174548ba2e3ffc69b9168648dd03a10506d;hpb=370f96d36cac952a52f71cb2a2b03f4a64a6d93e;p=wget

diff --git a/src/gnutls.c b/src/gnutls.c
index 32c6d174..54422fcf 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -99,7 +99,7 @@ ssl_init (void)
   dir = opendir (ca_directory);
   if (dir == NULL)
     {
-      if (opt.ca_directory)
+      if (opt.ca_directory && *opt.ca_directory)
         logprintf (LOG_NOTQUIET, _("ERROR: Cannot open directory %s.\n"),
                    opt.ca_directory);
     }
@@ -376,8 +376,9 @@ ssl_connect_wget (int fd, const char *hostname)
 {
   struct wgnutls_transport_context *ctx;
   gnutls_session_t session;
-  int err;
+  int err,alert;
   gnutls_init (&session, GNUTLS_CLIENT);
+  const char *str;
 
   /* We set the server name but only if it's not an IP address. */
   if (! is_valid_ip_address (hostname))
@@ -401,7 +402,7 @@ ssl_connect_wget (int fd, const char *hostname)
       break;
     case secure_protocol_sslv2:
     case secure_protocol_sslv3:
-      err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL", NULL);
+      err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", NULL);
       break;
     case secure_protocol_tlsv1:
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
@@ -440,10 +441,28 @@ ssl_connect_wget (int fd, const char *hostname)
       return false;
     }
 
-  err = gnutls_handshake (session);
+  /* We don't stop the handshake process for non-fatal errors */
+  do
+    {
+      err = gnutls_handshake (session);
+      if (err < 0)
+        {
+          logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
+          if (err == GNUTLS_E_WARNING_ALERT_RECEIVED ||
+              err == GNUTLS_E_FATAL_ALERT_RECEIVED)
+            {
+              alert = gnutls_alert_get (session);
+              str = gnutls_alert_get_name (alert);
+              if (str == NULL)
+                str = "(unknown)";
+              logprintf (LOG_NOTQUIET, "GnuTLS: received alert [%d]: %s\n", alert, str);
+            }
+        }
+    }
+  while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0);
+
   if (err < 0)
     {
-      logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
       gnutls_deinit (session);
       return false;
     }
@@ -515,7 +534,7 @@ ssl_check_certificate (int fd, const char *host)
         {
           logprintf (LOG_NOTQUIET, _("No certificate found\n"));
           success = false;
-          goto out;
+          goto crt_deinit;
         }
       err = gnutls_x509_crt_import (cert, cert_list, GNUTLS_X509_FMT_DER);
       if (err < 0)
@@ -523,7 +542,7 @@ ssl_check_certificate (int fd, const char *host)
           logprintf (LOG_NOTQUIET, _("Error parsing certificate: %s\n"),
                      gnutls_strerror (err));
           success = false;
-          goto out;
+          goto crt_deinit;
         }
       if (now < gnutls_x509_crt_get_activation_time (cert))
         {
@@ -542,6 +561,7 @@ ssl_check_certificate (int fd, const char *host)
                      quote (host));
           success = false;
         }
+ crt_deinit:
       gnutls_x509_crt_deinit (cert);
    }