Fix gnutls (a)lways to properly save for all certerr values.

For the case of SIGNERNOTCA, INSECUREALG, or a newer unhandled value,
the "(a)ccept always" prompt was allowed, but the cert saving was
prevented by a check only against NOTTRUSTED.  This ended up giving a
strange error message saying the cert was not saved.

Fix to save the cert for all errors except HOSTNAME (which is handled
separately).

diff --git a/conn/ssl_gnutls.c b/conn/ssl_gnutls.c
index dfbb615579e17083221902f7e7f11f329bc50066..1aeafa001e9c41e66f9ce8ce1e947eae093eba43 100644 (file)
--- a/conn/ssl_gnutls.c
+++ b/conn/ssl_gnutls.c
@@ -727,7 +727,8 @@ static int tls_check_one_certificate(const gnutls_datum_t *certdata,
             fprintf(fp, "#H %s %s\n", hostname, fpbuf);
             done = 1;
           }
-          if (certerr & CERTERR_NOTTRUSTED)
+          /* Save the cert for all other errors */
+          if (certerr ^ CERTERR_HOSTNAME)
           {
             done = 0;
             ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", certdata, &pemdata);