>From 98142d5c1b5446cbb712794c904869c633cbb622 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 27 Oct 2014 23:36:53 +0100
Subject: [PATCH 1/2] Added openconnect_set_system_trust()

This functions allows to disable the default system trust CAs.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 gnutls.c               | 10 ++++++----
 library.c              |  5 +++++
 openconnect-internal.h |  1 +
 openconnect.h          |  8 ++++++++
 openssl.c              |  5 +++--
 5 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/gnutls.c b/gnutls.c
index 5f1c9e5..303926a 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1877,13 +1877,15 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 
 	if (!vpninfo->https_cred) {
 		gnutls_certificate_allocate_credentials(&vpninfo->https_cred);
+		if (!vpninfo->no_system_trust) {
 #ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST
-		gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
+			gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
 #else
-		gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
-						       DEFAULT_SYSTEM_CAFILE,
-						       GNUTLS_X509_FMT_PEM);
+			gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
+							       DEFAULT_SYSTEM_CAFILE,
+							       GNUTLS_X509_FMT_PEM);
 #endif
+		}
 		gnutls_certificate_set_verify_function(vpninfo->https_cred,
 						       verify_peer);
 
diff --git a/library.c b/library.c
index 1de96c4..358b233 100644
--- a/library.c
+++ b/library.c
@@ -311,6 +311,11 @@ int openconnect_set_cafile(struct openconnect_info *vpninfo, const char *cafile)
 	return 0;
 }
 
+void openconnect_set_system_trust(struct openconnect_info *vpninfo, unsigned val)
+{
+	vpninfo->no_system_trust = !val;
+}
+
 int openconnect_set_server_cert_sha1(struct openconnect_info *vpninfo,
 				     const char *servercert)
 {
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 4d79299..54c0089 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -240,6 +240,7 @@ struct openconnect_info {
 	const char *sslkey;
 	char *cert_password;
 	char *cafile;
+	unsigned no_system_trust;
 	char *servercert;
 	const char *xmlconfig;
 	char xmlsha1[(SHA1_SIZE * 2) + 1];
diff --git a/openconnect.h b/openconnect.h
index 7d660df..2293a6a 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -352,6 +352,14 @@ int openconnect_set_stoken_mode(struct openconnect_info *, int, const char *);
 void openconnect_set_xmlsha1(struct openconnect_info *, const char *, int size);
 
 int openconnect_set_cafile(struct openconnect_info *, const char *);
+
+/* call this function to disable the system trust from being used to
+ * verify the server certificate. @val is a boolean value.
+ *
+ * For backwards compatibility reasons this is enabled by default.
+ */
+void openconnect_set_system_trust(struct openconnect_info *vpninfo, unsigned val);
+
 int openconnect_setup_csd(struct openconnect_info *, uid_t, int silent, const char *wrapper);
 void openconnect_set_xmlpost(struct openconnect_info *, int enable);
 
diff --git a/openssl.c b/openssl.c
index aecd4b0..6bbd267 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1373,8 +1373,9 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 		SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
 						 ssl_app_verify_callback, NULL);
 #endif
-		SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
-		
+		if (!vpninfo->no_system_trust)
+			SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
+
 		if (vpninfo->pfs)
 			SSL_CTX_set_cipher_list(vpninfo->https_ctx, "HIGH:!aNULL:!eNULL:-RSA");
 
-- 
2.0.0