Blah, revert my removal of the extra check since the problem is there for real.

Archived thread of the help-gnutls mailing list regarding this problem:

http://lists.gnu.org/archive/html/help-gnutls/2005-04/msg00000.html

(and I _am_ sorry for my confused behaviour on this problem.)

1 files changed, 19 insertions, 7 deletions

diff --git a/lib/gtls.c b/lib/gtls.c
index a87c3a03b..bc7cd27e3 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -149,13 +149,25 @@ Curl_gtls_connect(struct connectdata *conn,
     return CURLE_SSL_CONNECT_ERROR;
   }
 
-  /* set the trusted CA cert bundle file */
-  rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
-                                              data->set.ssl.CAfile,
-                                              GNUTLS_X509_FMT_PEM);
-  if(rc) {
-    infof(data, "error reading the ca cert file %s",
-          data->set.ssl.CAfile);
+  if(data->set.ssl.CAfile) {
+    /* set the trusted CA cert bundle file */
+
+    /*
+     * Unfortunately, if a file name is set here and this function fails for
+     * whatever reason (missing file, bad file, etc), gnutls will no longer
+     * handshake properly but it just loops forever. Therefore, we must return
+     * error here if we get an error when setting the CA cert file name.
+     *
+     * (Question/report posted to the help-gnutls mailing list, April 8 2005)
+     */
+    rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
+                                                data->set.ssl.CAfile,
+                                                GNUTLS_X509_FMT_PEM);
+    if(rc) {
+      failf(data, "error reading the ca cert file %s",
+            data->set.ssl.CAfile);
+      return CURLE_SSL_CACERT;
+    }
   }
 
   /* Initialize TLS session as a client */