Handle GNUTLS_CERT_INVALID in TOFU code

GnuTLS should hopefully never set just this flag, but let's be fully
prepared for all scenarios.

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 7748938bcfc74d97dcb1d37d29ce36ec67abd5fc..06bd0bb84cef6db7b82bd82e1ae886982d16d8df 100644 (file)
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -417,7 +417,8 @@ void CSecurityTLS::checkSession()
     vlog.debug("Server host not previously known");
     vlog.debug("%s", info.data);
 
-    if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND |
+    if (status & (GNUTLS_CERT_INVALID |
+                  GNUTLS_CERT_SIGNER_NOT_FOUND |
                   GNUTLS_CERT_SIGNER_NOT_CA)) {
       text = format("This certificate has been signed by an unknown "
                     "authority:\n"
@@ -458,7 +459,8 @@ void CSecurityTLS::checkSession()
     vlog.debug("Server host key mismatch");
     vlog.debug("%s", info.data);
 
-    if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND |
+    if (status & (GNUTLS_CERT_INVALID |
+                  GNUTLS_CERT_SIGNER_NOT_FOUND |
                   GNUTLS_CERT_SIGNER_NOT_CA)) {
       text = format("This host is previously known with a different "
                     "certificate, and the new certificate has been "