[libsoup/cache] Allow version 1 CA certificates in clients

[Xan Lopez <xan src gnome org>]

commit a408bd117705372f16ff25ec3adf698cff5186c9
Author: Patrick Ohly <patrick ohly gmx de>
Date:   Thu Jul 23 16:03:34 2009 +0200

    Allow version 1 CA certificates in clients
    
    This is done by setting the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
    flag while setting up the credentials and parsing the CA certificate
    file. This is necessary because without it, some releases of gnutls
    reject certificates that are currently in use by major sites, including
    Google.
    
    Setting the flag is safe in libsoup because the file is meant to
    contain only CA certificates. The main weakness around version 1
    certs is that personal certificates could be mistaken for CA certs,
    which shouldn't happen if libsoup is used as intended.
    
    Servers don't have the possibility to verify their clients, so this
    problem doesn't apply to them.
    
    http://bugzilla.gnome.org/show_bug.cgi?id=589323

 libsoup/soup-gnutls.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/libsoup/soup-gnutls.c b/libsoup/soup-gnutls.c
index 0326c6b..2e3fd20 100644
--- a/libsoup/soup-gnutls.c
+++ b/libsoup/soup-gnutls.c
@@ -537,6 +537,10 @@ soup_ssl_get_client_credentials (const char *ca_file)
 	creds = g_slice_new0 (SoupSSLCredentials);
 	gnutls_certificate_allocate_credentials (&creds->creds);
 
+	/* http://bugzilla.gnome.org/show_bug.cgi?id=589323 */
+	gnutls_certificate_set_verify_flags (creds->creds,
+					     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+
 	if (ca_file) {
 		creds->have_ca_file = TRUE;
 		status = gnutls_certificate_set_x509_trust_file (