From ee47b955a0742c8dfc4efbb355548c458d2f2198 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 27 May 2009 22:55:26 -0700
Subject: [PATCH] Don't prompt to save certificates that are already saved but
 invalid.

---
 ChangeLog         | 8 ++++++++
 mutt_ssl_gnutls.c | 5 +++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d652e6d5b..86331669d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-05-27 22:52 -0700  Brendan Cully  <brendan@kublai.com>  (90ef283c103e)
+
+	* mutt_ssl_gnutls.c: Don't leak gnutls certs on preauth validation
+	failure. Thanks to Miroslav Lichvar.
+
+	* mutt_ssl.c: Fix TLS certificate chain validation for
+	openssl.
+
 2009-05-25 17:31 -0700  Brendan Cully  <brendan@kublai.com>  (8f11dd00c770)
 
 	* mutt_ssl_gnutls.c: Fix a serious oversight validating TLS
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index e840694e5..09fce71fd 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -827,8 +827,9 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata,
   menu->title = title;
   /* certificates with bad dates, or that are revoked, must be
    accepted manually each and every time */
-  if (SslCertFile && !(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
-                                  | CERTERR_REVOKED)))
+  if (SslCertFile && !savedcert
+        && !(certerr & (CERTERR_EXPIRED | CERTERR_NOTYETVALID
+                        | CERTERR_REVOKED)))
   {
     menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
     menu->keys = _("roa");
-- 
2.40.0