Ensure proxy-ca.pem contains only one CA.

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index a860a494c2b18e7d1bbe04b9f8902d7d77b83272..2b0f5d55c8ec3ea30cf499c2adaedde60d0a9169 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -59,7 +59,7 @@ static int initialize_tls_session_client(int peer_socket,
 static int initialize_tls_session_server(int peer_socket,
         gnutls_session_t *session,
         gnutls_certificate_credentials_t *x509_cred);
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
         int peer_socket,
         gnutls_session_t *session,
         gnutls_certificate_credentials_t *x509_cred);
@@ -406,6 +406,11 @@ static int initialize_tls_session_client(int peer_socket,
                 PROXY_CA_PATH);
             gnutls_certificate_free_credentials(*x509_cred);
             return -1;
+        } else if (result != 1) {
+            /* Must contain only one CA, our proxy CA. */
+            LOG(ERROR, "initialize_tls_session_client(): multiple CAs found");
+            gnutls_certificate_free_credentials(*x509_cred);
+            return -1;
         }
     }
     /* If the invalid hostname was specified do nothing, we use a self-signed
@@ -457,7 +462,7 @@ static int initialize_tls_session_server(int peer_socket,
     return initialize_tls_session_both(GNUTLS_CLIENT,
                                        peer_socket, session, x509_cred);
 }
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
         int peer_socket,
         gnutls_session_t *session,
         gnutls_certificate_credentials_t *x509_cred) {